cbcvebase.
CVE-2026-2635
published 2026-02-20

CVE-2026-2635: MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected…

PriorityP258high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.97%
57.4th percentile
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

Affected

21 ranges
VendorProductVersion rangeFixed in
mlflowmlflow
mlflowmlflow>= 0 < 3.8.0rc03.8.0rc0
rhoaiodh-mlflow-rhel9
rhoaiodh-pipeline-runtime-datascience-cpu-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-rocm-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-rocm-py312-rhel9
rhoaiodh-th06-cpu-torch210-py312-rhel9
rhoaiodh-th06-cuda130-torch210-py312-rhel9
rhoaiodh-th06-rocm64-torch291-py312-rhel9
rhoaiodh-training-cuda128-torch29-py312-rhel9
rhoaiodh-workbench-codeserver-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-trustyai-cpu-py312-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability resides in the MLflow basic_auth.ini configuration file, which contains hard-coded default credentials. Detect presence or use of this file with default credentials as an indicator of exploitation risk.
  • Exploitation targets the MLflow Python application process. Monitor for unexpected child processes or code execution spawned from the mlflow Python application context.
  • ·The hard-coded default credentials are embedded in the basic_auth.ini file shipped with MLflow. Deployments that have not changed these defaults are directly exploitable without any authentication.
  • ·Red Hat has assessed all listed RHOAI container images (e.g., odh-mlflow-rhel9) as Not Affected, so detections should be prioritised on upstream/vanilla MLflow deployments.
  • ·No vendor-provided mitigation currently meets Red Hat Product Security criteria; defenders should treat all unpatched MLflow instances with default basic_auth.ini credentials as fully exposed.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.