CVE-2026-2635
CRITICAL9.8EPSS 1.5%MLflow Use of Default Password Authentication Bypass Vulnerability
發布日:2026/2/21修改日:2026/3/17
描述
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.
受影響套件(1)
- PyPI/mlflowfrom 0, < 3.8.0rc0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2635
- PATCHhttps://github.com/mlflow/mlflow
- WEBhttps://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4
- WEBhttps://github.com/mlflow/mlflow/pull/19260
- WEBhttps://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0
- WEBhttps://www.zerodayinitiative.com/advisories/ZDI-26-111