CVE-2026-2635: MLflow security flaw enables

Q: Is CVE-2026-2635 actively exploited?

No confirmed active exploitation of CVE-2026-2635 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-2635?

Immediate (0-24h): (1) Determine if MLflow is internet-exposed or accessible from untrusted networks — isolate if so. (2) Apply patch from MLflow PR #19260 or upgrade to a fixed version. (3) Change all credentials in basic_auth.ini; do not rely on defaults. (4) Review access logs for unexpected admin activity since 2026-02-20. Short-term (1-7 days): (5) Enforce network-level access controls — MLflow should never be internet-facing without a reverse proxy enforcing authentication. (6) Replace basic_auth with a proper IdP integration (OIDC/SAML). (7) Audit all registered models and artifacts for tampering or unexpected modifications. Detection: Alert on authentication events to MLflow admin endpoints; monitor for new model registrations or artifact uploads from unexpected sources.

Q: What systems are affected by CVE-2026-2635?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, model registry, experiment tracking systems, model serving, CI/CD ML pipelines, artifact stores.

Q: What is the CVSS score for CVE-2026-2635?

CVE-2026-2635 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.13%.

CISO Take

MLflow's basic_auth.ini ships with hardcoded default credentials, meaning any attacker with network access to your MLflow instance can bypass authentication and execute arbitrary code as administrator — no credentials needed beyond the publicly known defaults. If MLflow is reachable from the internet or an untrusted network segment, treat this as a critical incident: isolate, patch via PR #19260, and rotate all credentials immediately. Audit access logs for unauthorized activity dating back to February 2026.

What is the risk?

Effective severity is CRITICAL despite unscored CVSS. The combination of hardcoded credentials (CWE-1393), zero authentication required, and arbitrary code execution as admin creates a trivially exploitable attack chain. MLflow instances are commonly deployed with default configurations in data science environments, often without rigorous network segmentation. The blast radius extends beyond the MLflow service itself — admin access exposes the entire ML artifact store, registered models, experiment runs, and any connected infrastructure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	< 3.8.0rc0	`3.8.0rc0`
26.6K OpenSSF 5.6 655 dependents Pushed 5d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.1%

chance of exploitation in 30 days

Higher than 62% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

Immediate (0-24h): (1) Determine if MLflow is internet-exposed or accessible from untrusted networks — isolate if so. (2) Apply patch from MLflow PR #19260 or upgrade to a fixed version. (3) Change all credentials in basic_auth.ini; do not rely on defaults. (4) Review access logs for unexpected admin activity since 2026-02-20. Short-term (1-7 days): (5) Enforce network-level access controls — MLflow should never be internet-facing without a reverse proxy enforcing authentication. (6) Replace basic_auth with a proper IdP integration (OIDC/SAML). (7) Audit all registered models and artifacts for tampering or unexpected modifications. Detection: Alert on authentication events to MLflow admin endpoints; monitor for new model registrations or artifact uploads from unexpected sources.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Model Poisoning Code Execution Auth Bypass Framework RAG Model AML.T0007 - Discover AI Artifacts AML.T0010.001 - AI Software AML.T0012 - Valid Accounts AML.T0018 - Manipulate AI Model AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Information security in AI system development A.6.2.5 - AI system security controls A.9.2 - User access management A.9.4 - System and application access control

NIST AI RMF

GOVERN 1.2 - Policies, processes, and practices are in place GOVERN 6.2 - Contingency processes for AI risks are in place MANAGE 2.2 - Mechanisms are in place to start, stop, or pause AI system operation MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM08 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-2635?

MLflow's basic_auth.ini ships with hardcoded default credentials, meaning any attacker with network access to your MLflow instance can bypass authentication and execute arbitrary code as administrator — no credentials needed beyond the publicly known defaults. If MLflow is reachable from the internet or an untrusted network segment, treat this as a critical incident: isolate, patch via PR #19260, and rotate all credentials immediately. Audit access logs for unauthorized activity dating back to February 2026.

Is CVE-2026-2635 actively exploited?

No confirmed active exploitation of CVE-2026-2635 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2635?

Immediate (0-24h): (1) Determine if MLflow is internet-exposed or accessible from untrusted networks — isolate if so. (2) Apply patch from MLflow PR #19260 or upgrade to a fixed version. (3) Change all credentials in basic_auth.ini; do not rely on defaults. (4) Review access logs for unexpected admin activity since 2026-02-20. Short-term (1-7 days): (5) Enforce network-level access controls — MLflow should never be internet-facing without a reverse proxy enforcing authentication. (6) Replace basic_auth with a proper IdP integration (OIDC/SAML). (7) Audit all registered models and artifacts for tampering or unexpected modifications. Detection: Alert on authentication events to MLflow admin endpoints; monitor for new model registrations or artifact uploads from unexpected sources.

What systems are affected by CVE-2026-2635?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, model registry, experiment tracking systems, model serving, CI/CD ML pipelines, artifact stores.

What is the CVSS score for CVE-2026-2635?

CVE-2026-2635 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.13%.

What is the AI security impact?

Affected AI Architectures

MLOps platformstraining pipelinesmodel registryexperiment tracking systemsmodel servingCI/CD ML pipelinesartifact stores

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts

AML.T0010.001 AI Software

AML.T0012 Valid Accounts

AML.T0018 Manipulate AI Model

AML.T0020 Poison Training Data

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.15, Art.9, Article 15, Article 9

ISO 42001: A.6.1.2, A.6.2.5, A.9.2, A.9.4

NIST AI RMF: GOVERN 1.2, GOVERN 6.2, MANAGE 2.2, MANAGE 2.4

OWASP LLM Top 10: LLM08, LLM08:2025

What are the technical details?

Original Advisory

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

Exploitation Scenario

An attacker performs passive reconnaissance (Shodan, Censys) to identify internet-exposed MLflow instances. Using the publicly documented default credentials from basic_auth.ini — trivially extractable from the MLflow open-source repo — they authenticate as administrator with no exploitation tooling required. From there, they enumerate all registered models and experiments, exfiltrate proprietary models and training data, and inject a poisoned model version into the registry pointing to a backdoored artifact. The production serving infrastructure, configured to pull the 'latest' version from the registry, automatically deploys the malicious model. The attacker maintains persistence through the MLflow admin account while the poisoned model silently operates in production — potentially for weeks before detection.

Weaknesses (CWE)

CWE-1393 Use of Default Password Primary CWE-1393 Use of Default Password Primary

CWE-1393 — Use of Default Password: The product uses default passwords for potentially critical functionality.

[Requirements] Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
[Documentation] Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.

Source: MITRE CWE corpus.