CVE-2025-11200

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-11200
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11200.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-11200
Aliases
Published
2025-10-29T20:15:35.543Z
Modified
2026-03-12T17:34:03.294631Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

References

Affected packages

Git / github.com/mlflow/mlflow

Affected ranges

Type
GIT
Repo
https://github.com/mlflow/mlflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
48a261f8b1dc3a5757252ba0174883d074102215
Fixed
1f74f3f24d8273927b8db392c23e108576936c54
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.21.0"
        }
    ]
}

Affected versions

1.*
1.0.0
v0.*
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.7
v0.8.0
v0.8.1
v1.*
v1.7.0
v2.*
v2.2.0
v2.21.0
v2.21.0rc0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11200.json"