Vulnerability in Mlflow
CVE-2026-2635
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The…
EPSS: 0.015 (81.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Mlflow — versions 3.4.0
Weakness classification (CWE)
References
- ZDI-26-111 (x_research-advisory)
- vendor-provided URL (vendor-advisory)
Frequently asked questions
- What is CVE-2026-2635?
- CVE-2026-2635 is a critical-severity vulnerability in Mlflow, classified under CWE-1393. CVSS score: 9.8/10. Published 2026-02-20.
- How severe is CVE-2026-2635?
- Critical severity. CVSS v3 base score is 9.8 out of 10.