Critical severity9.8NVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026
CVE-2026-2635
CVE-2026-2635
Description
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | < 3.8.0rc0 | 3.8.0rc0 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-gq3w-7jj3-x7grghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2635ghsaADVISORY
- github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4ghsaWEB
- github.com/mlflow/mlflow/pull/19260nvdWEB
- github.com/mlflow/mlflow/releases/tag/v3.8.0rc0ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-26-111ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-26-111/nvd
News mentions
0No linked articles in our index yet.