AI Threat Alert
MLflow is the de facto ML lifecycle platform — if your team runs experiment tracking or a model registry, assume this instance is your crown jewels. A CVSS 9.8 unauthenticated network bypass means any attacker with network access owns your entire ML pipeline: models, training data, experiments, and artifacts. Patch to 2.22.0rc0 immediately or isolate MLflow behind a network-level auth proxy until you can patch.
What is the risk?
CRITICAL. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) is as bad as it gets: remotely exploitable, trivially simple, no prerequisites. MLflow instances are frequently exposed on internal networks with minimal segmentation, and sometimes accidentally internet-facing. The weak password bypass (CWE-521) likely means an empty or trivially guessable password is accepted. EPSS is currently low (0.00245) but this will increase rapidly once PoC tooling emerges — the zero-authentication condition makes mass scanning trivial. MLflow's privileged position in ML pipelines amplifies blast radius far beyond a typical web app breach.
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade MLflow to >= 2.22.0rc0 immediately. Reference commit: 1f74f3f24d8273927b8db392c23e108576936c54.
-
ISOLATE
If patching is delayed, block external access to MLflow ports (default 5000) at the firewall/security group level. Place behind a reverse proxy (nginx/Caddy) with HTTP Basic Auth or mTLS as compensating control.
-
AUDIT
Review MLflow access logs for unexpected authenticated sessions, model registry changes, or artifact downloads in the past 90 days.
-
INVENTORY
Enumerate all MLflow instances in your environment — dev, staging, and prod. Shadow MLflow deployments are common in data science teams.
-
DETECT
Alert on MLflow login events from non-corporate IP ranges, unusual model promotion events, and bulk artifact downloads.
-
CREDENTIAL ROTATION
If any MLflow instance was exposed, assume all credentials stored in MLflow experiments (API keys, DB strings hardcoded in notebooks) are compromised.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-11200?
MLflow is the de facto ML lifecycle platform — if your team runs experiment tracking or a model registry, assume this instance is your crown jewels. A CVSS 9.8 unauthenticated network bypass means any attacker with network access owns your entire ML pipeline: models, training data, experiments, and artifacts. Patch to 2.22.0rc0 immediately or isolate MLflow behind a network-level auth proxy until you can patch.
Is CVE-2025-11200 actively exploited?
No confirmed active exploitation of CVE-2025-11200 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-11200?
1. PATCH: Upgrade MLflow to >= 2.22.0rc0 immediately. Reference commit: 1f74f3f24d8273927b8db392c23e108576936c54. 2. ISOLATE: If patching is delayed, block external access to MLflow ports (default 5000) at the firewall/security group level. Place behind a reverse proxy (nginx/Caddy) with HTTP Basic Auth or mTLS as compensating control. 3. AUDIT: Review MLflow access logs for unexpected authenticated sessions, model registry changes, or artifact downloads in the past 90 days. 4. INVENTORY: Enumerate all MLflow instances in your environment — dev, staging, and prod. Shadow MLflow deployments are common in data science teams. 5. DETECT: Alert on MLflow login events from non-corporate IP ranges, unusual model promotion events, and bulk artifact downloads. 6. CREDENTIAL ROTATION: If any MLflow instance was exposed, assume all credentials stored in MLflow experiments (API keys, DB strings hardcoded in notebooks) are compromised.
What systems are affected by CVE-2025-11200?
This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registry, training pipelines, experiment tracking systems, model serving infrastructure, automated ML CI/CD pipelines.
What is the CVSS score for CVE-2025-11200?
CVE-2025-11200 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.36%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0018.000 Poison AI Model AML.T0025 Exfiltration via Cyber Means AML.T0035 AI Artifact Collection AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.
Exploitation Scenario
An adversary performing reconnaissance against an AI-enabled organization scans for MLflow's default port 5000 or discovers the instance via exposed environment variables or internal documentation. They attempt authentication with a blank password or trivially weak credential (e.g., 'admin'/'admin'), bypassing the authentication check due to CWE-521. Once authenticated, the attacker browses the model registry to identify the organization's production models, downloads them for offline IP theft, and uploads a trojanized version of the most-used model with identical metadata. Because many MLflow deployments use automated promotion pipelines, the poisoned model is promoted to the production serving endpoint without human review. The model now exfiltrates inference inputs or produces subtly manipulated outputs — detected only when downstream business metrics degrade.
Weaknesses (CWE)
CWE-521 — Weak Password Requirements: The product does not require that users should have strong passwords.
- [Architecture and Design] A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes: Depending on the threat model, the password policy may include several additional attributes. See NIST 800-63B [REF-1053] for further information on password requirements. Enforcement of a minimum and maximum length Restrictions against password reuse Restrictions against using common passwords Restrictions against using contextual string in the password (e.g., user id, app name) Increasing the range of characters makes the password harder to crack and may be appropriate for systems relying on single factor authentication. Unfortunately, a complex password may be difficult to memorize, encouraging a user to select a short password or to incorrectly manage the password (write it down). Another disadvantage of this approach is that it often does not result in a significant increases
- [Architecture and Design] Consider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-15379 10.0 MLflow: RCE via unsanitized model dependency specs
Same package: mlflow CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same package: mlflow CVE-2023-2780 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2026-2635 9.8 mlflow: security flaw enables exploitation
Same package: mlflow CVE-2023-1177 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow