AI Threat Alert AI Threat Alert

CVE-2026-2635: mlflow: security flaw enables exploitation

GHSA-gq3w-7jj3-x7gr CRITICAL CISA: TRACK*
Published February 20, 2026
CISO Take

MLflow's basic_auth.ini ships with hardcoded default credentials, meaning any attacker with network access to your MLflow instance can bypass authentication and execute arbitrary code as administrator — no credentials needed beyond the publicly known defaults. If MLflow is reachable from the internet or an untrusted network segment, treat this as a critical incident: isolate, patch via PR #19260, and rotate all credentials immediately. Audit access logs for unauthorized activity dating back to February 2026.

Risk Assessment

Effective severity is CRITICAL despite unscored CVSS. The combination of hardcoded credentials (CWE-1393), zero authentication required, and arbitrary code execution as admin creates a trivially exploitable attack chain. MLflow instances are commonly deployed with default configurations in data science environments, often without rigorous network segmentation. The blast radius extends beyond the MLflow service itself — admin access exposes the entire ML artifact store, registered models, experiment runs, and any connected infrastructure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip < 3.8.0rc0 3.8.0rc0
25.8K OpenSSF 4.7 624 dependents Pushed yesterday 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
1.1%
chance of exploitation in 30 days
Higher than 79% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Advanced

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

1 step

  1. Immediate (0-24h): (1) Determine if MLflow is internet-exposed or accessible from untrusted networks — isolate if so. (2) Apply patch from MLflow PR #19260 or upgrade to a fixed version. (3) Change all credentials in basic_auth.ini; do not rely on defaults. (4) Review access logs for unexpected admin activity since 2026-02-20. Short-term (1-7 days): (5) Enforce network-level access controls — MLflow should never be internet-facing without a reverse proxy enforcing authentication. (6) Replace basic_auth with a proper IdP integration (OIDC/SAML). (7) Audit all registered models and artifacts for tampering or unexpected modifications. Detection: Alert on authentication events to MLflow admin endpoints; monitor for new model registrations or artifact uploads from unexpected sources.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Model Poisoning Code Execution Auth Bypass Framework RAG Model AML.T0007 AML.T0010.001 AML.T0012 AML.T0018 AML.T0020 AML.T0025 AML.T0035 AML.T0049 AML.T0050 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - Information security in AI system development A.6.2.5 - AI system security controls A.9.2 - User access management A.9.4 - System and application access control
NIST AI RMF
GOVERN 1.2 - Policies, processes, and practices are in place GOVERN 6.2 - Contingency processes for AI risks are in place MANAGE 2.2 - Mechanisms are in place to start, stop, or pause AI system operation MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM08 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-2635?

MLflow's basic_auth.ini ships with hardcoded default credentials, meaning any attacker with network access to your MLflow instance can bypass authentication and execute arbitrary code as administrator — no credentials needed beyond the publicly known defaults. If MLflow is reachable from the internet or an untrusted network segment, treat this as a critical incident: isolate, patch via PR #19260, and rotate all credentials immediately. Audit access logs for unauthorized activity dating back to February 2026.

Is CVE-2026-2635 actively exploited?

No confirmed active exploitation of CVE-2026-2635 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2635?

Immediate (0-24h): (1) Determine if MLflow is internet-exposed or accessible from untrusted networks — isolate if so. (2) Apply patch from MLflow PR #19260 or upgrade to a fixed version. (3) Change all credentials in basic_auth.ini; do not rely on defaults. (4) Review access logs for unexpected admin activity since 2026-02-20. Short-term (1-7 days): (5) Enforce network-level access controls — MLflow should never be internet-facing without a reverse proxy enforcing authentication. (6) Replace basic_auth with a proper IdP integration (OIDC/SAML). (7) Audit all registered models and artifacts for tampering or unexpected modifications. Detection: Alert on authentication events to MLflow admin endpoints; monitor for new model registrations or artifact uploads from unexpected sources.

What systems are affected by CVE-2026-2635?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, model registry, experiment tracking systems, model serving, CI/CD ML pipelines, artifact stores.

What is the CVSS score for CVE-2026-2635?

CVE-2026-2635 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.15%.

Technical Details

NVD Description

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

Exploitation Scenario

An attacker performs passive reconnaissance (Shodan, Censys) to identify internet-exposed MLflow instances. Using the publicly documented default credentials from basic_auth.ini — trivially extractable from the MLflow open-source repo — they authenticate as administrator with no exploitation tooling required. From there, they enumerate all registered models and experiments, exfiltrate proprietary models and training data, and inject a poisoned model version into the registry pointing to a backdoored artifact. The production serving infrastructure, configured to pull the 'latest' version from the registry, automatically deploys the malicious model. The attacker maintains persistence through the MLflow admin account while the poisoned model silently operates in production — potentially for weeks before detection.

Weaknesses (CWE)

CWE-1393 Primary CWE-1393 Use of Default Password Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 20, 2026
Last Modified
March 17, 2026
First Seen
February 20, 2026

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-6018 9.8

MLflow: unauth file overwrite enables model poisoning

Same package: mlflow
Back to Threat Feed