CVE-2026-2635

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-2635

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2635.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-2635

Aliases

GHSA-gq3w-7jj3-x7gr

Published

2026-02-20T23:16:05.577Z

Modified

2026-03-17T20:26:20.684416Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2635.json"