BIT-mlflow-2025-11200

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/mlflow/BIT-mlflow-2025-11200.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-mlflow-2025-11200

Aliases

Published

2025-11-06T12:53:59.130Z

Modified

2025-11-06T13:59:50.094186Z

Summary

MLflow Weak Password Requirements Authentication Bypass Vulnerability

Details

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / mlflow

Package

Name: mlflow
Purl: pkg:bitnami/mlflow

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.21.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/mlflow/BIT-mlflow-2025-11200.json"