Software Authentication Bypass (CVE-2026-2635) - Patch Now

Overview

A critical security vulnerability has been identified in MLflow, an open-source platform for managing the machine learning lifecycle. This flaw allows unauthenticated remote attackers to completely bypass the platform’s login protections and gain administrative control.

Vulnerability Explanation

In simple terms, the vulnerability exists because of a default, hard-coded username and password stored within a specific configuration file (basic_auth.ini). When MLflow is deployed with basic authentication enabled, it uses these pre-set, publicly known credentials by default if administrators do not change them. Since no authentication is required to attempt a login, an attacker can easily use these default credentials to gain access.

Impact and Risk

The impact of this vulnerability is severe (CVSS Score: 9.8 - CRITICAL). A successful attacker can:

• Bypass Authentication: Log in directly as an administrator without needing a valid password.
• Execute Arbitrary Code: Create, modify, or delete machine learning experiments, models, and deployment pipelines.
• Compromise Integrity and Confidentiality: Access sensitive data used in ML workflows, inject malicious code into models, or disrupt entire ML operations.
• Use as an Initial Attack Vector: Gain a foothold in the environment to launch further attacks against internal networks.

Any MLflow instance with basic authentication enabled that has not changed the default credentials is vulnerable.

Remediation and Mitigation

Immediate action is required to secure affected deployments.

Primary Remediation:

1. Change Default Credentials Immediately: Locate the basic_auth.ini file in your MLflow deployment directory.
2. Replace the default username and password values with strong, unique credentials. Ensure the password is complex and not used elsewhere.
3. Restart your MLflow tracking server for the changes to take effect.

Important Mitigation Steps:

• Inventory: Identify all MLflow tracking servers in your environment.
• Verify: Confirm that every instance uses unique, strong credentials in the basic_auth.ini file. The presence of the default credentials means the system is vulnerable.
• Network Security: As a secondary control, restrict network access to MLflow servers (e.g., using firewalls or VPNs) to only trusted users and systems, minimizing the attack surface.

Best Practice: Avoid relying solely on basic authentication for production systems. Consider implementing more robust authentication mechanisms, such as integrating with your organization’s identity provider (e.g., via OAuth or SSO), especially for instances exposed to or accessible from untrusted networks.

This vulnerability is tracked as ZDI-CAN-28256 and assigned CVE-2026-2635.