CVE-2026-2635: MLflow Use of Default Password Authentication Bypass Vulnerability
(updated )
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.
References
- github.com/advisories/GHSA-gq3w-7jj3-x7gr
- github.com/mlflow/mlflow
- github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4
- github.com/mlflow/mlflow/pull/19260
- github.com/mlflow/mlflow/releases/tag/v3.8.0rc0
- nvd.nist.gov/vuln/detail/CVE-2026-2635
- www.zerodayinitiative.com/advisories/ZDI-26-111
Code Behaviors & Features
Detect and mitigate CVE-2026-2635 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →