CVE-2026-2635
Deferred
Deferred - Pending Action
Authentication Bypass in MLflow via Default Password Enables RCE
Vulnerability report for CVE-2026-2635, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-20
Last updated on: 2026-06-30
Assigner: Zero Day Initiative
Description
Description
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mlflow | mlflow | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1393 | The product uses default passwords for potentially critical functionality. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |