ByteOS Network

CVE Vulnerability Details :

CVE-2026-2635

PUBLISHED

More Info Official Page

Assigner-zdi

Assigner Org ID-99f1926a-a320-47d8-bbb5-42feb611262e

Published At-20 Feb, 2026 | 22:25

Updated At-20 Feb, 2026 | 22:25

▼CVE Numbering Authority (CNA)

MLflow Use of Default Password Authentication Bypass Vulnerability

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

Affected Products

Vendor

MLflow

Product

MLflow

Default Status

unknown

Versions

Affected

3.4.0

Problem Types

Type	CWE ID	Description
CWE	CWE-1393	CWE-1393: Use of Default Password

Type: CWE

CWE ID: CWE-1393

Description: CWE-1393: Use of Default Password

Metrics

Version	Base score	Base severity	Vector
3.0	9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Version: 3.0

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Hyperlink	Resource
https://www.zerodayinitiative.com/advisories/ZDI-26-111/	x_research-advisory
https://github.com/mlflow/mlflow/pull/19260	vendor-advisory

Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-26-111/

Resource:

x_research-advisory

Hyperlink: https://github.com/mlflow/mlflow/pull/19260

Resource:

vendor-advisory

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References