Weak Password Requirements in mlflow/mlflow
Description
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In MLflow 2.18, an admin creates user accounts without requiring a password, enabling unauthorized access. Fixed in 2.19.0.
Root
Cause In MLflow version 2.18, the user account creation form (signup page) did not enforce a password requirement. The HTML input for the password field lacked a minlength attribute, allowing administrators to submit a blank or insufficient-length password [1][4]. This omission violates standard secure account management practices.
Exploitation
An attacker with administrative privileges to the MLflow instance can create new user accounts that have no password set [1]. This could be performed through the web UI or API, as the backend did not validate that a password was provided. No authentication is required beyond admin access.
Impact
Accounts without passwords are susceptible to unauthorized access by anyone who knows the username, or by attackers who can enumerate usernames. This could lead to data exposure, model tampering, or other actions within the MLflow platform depending on the account's permissions [1].
Mitigation
The issue is fixed in MLflow version 2.19.0 by adding a minlength validation attribute to the password field [4]. Users should upgrade to the latest version. No workarounds are mentioned.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | < 2.19.0 | 2.19.0 |
Affected products
4- osv-coords2 versions
< 2.19.0+ 1 more
- (no CPE)range: < 2.19.0
- (no CPE)range: < 2.19.0
- mlflow/mlflow/mlflowv5Range: unspecified
Patches
11 file changed · +2 −2
mlflow/server/auth/__init__.py+2 −2 modified@@ -748,11 +748,11 @@ def signup(): </div> <label for="username">Username:</label> <br> - <input type="text" id="username" name="username"> + <input type="text" id="username" name="username" minlength="4"> <br> <label for="password">Password:</label> <br> - <input type="password" id="password" name="password"> + <input type="password" id="password" name="password" minlength="4"> <br> <br> <input type="submit" value="Sign up">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4rj2-9gcx-5qhxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1474ghsaADVISORY
- github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-17.yamlghsaWEB
- huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2dghsaWEB
News mentions
0No linked articles in our index yet.