CVE-2025-11200 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

MLflow is the de facto ML lifecycle platform — if your team runs experiment tracking or a model registry, assume this instance is your crown jewels. A CVSS 9.8 unauthenticated network bypass means any attacker with network access owns your entire ML pipeline: models, training data, experiments, and artifacts. Patch to 2.22.0rc0 immediately or isolate MLflow behind a network-level auth proxy until you can patch.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 2.22.0rc0	`2.22.0rc0`
mlflow	pip	—	No patch

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade MLflow to >= 2.22.0rc0 immediately. Reference commit: 1f74f3f24d8273927b8db392c23e108576936c54. 2. ISOLATE: If patching is delayed, block external access to MLflow ports (default 5000) at the firewall/security group level. Place behind a reverse proxy (nginx/Caddy) with HTTP Basic Auth or mTLS as compensating control. 3. AUDIT: Review MLflow access logs for unexpected authenticated sessions, model registry changes, or artifact downloads in the past 90 days. 4. INVENTORY: Enumerate all MLflow instances in your environment — dev, staging, and prod. Shadow MLflow deployments are common in data science teams. 5. DETECT: Alert on MLflow login events from non-corporate IP ranges, unusual model promotion events, and bulk artifact downloads. 6. CREDENTIAL ROTATION: If any MLflow instance was exposed, assume all credentials stored in MLflow experiments (API keys, DB strings hardcoded in notebooks) are compromised.

Classification

Auth Bypass Data Extraction Supply Chain Framework Model Training Data AML.T0010.001 - AI Software AML.T0018.000 - Poison AI Model AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.8.3 - AI Supply Chain Security A.9.2 - AI System Access Control

NIST AI RMF

GOVERN-6.2 - AI Risk in the Supply Chain MANAGE-2.4 - Residual Risks and Countermeasures

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure Plugin and Tool Design

Technical Details

NVD Description

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Exploitation Scenario

An adversary performing reconnaissance against an AI-enabled organization scans for MLflow's default port 5000 or discovers the instance via exposed environment variables or internal documentation. They attempt authentication with a blank password or trivially weak credential (e.g., 'admin'/'admin'), bypassing the authentication check due to CWE-521. Once authenticated, the attacker browses the model registry to identify the organization's production models, downloads them for offline IP theft, and uploads a trojanized version of the most-used model with identical metadata. Because many MLflow deployments use automated promotion pipelines, the poisoned model is promoted to the production serving endpoint without human review. The model now exfiltrates inference inputs or produces subtly manipulated outputs — detected only when downstream business metrics degrade.

Weaknesses (CWE)

CWE-521 Weak Password Requirements Primary CWE-521

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

October 29, 2025

Last Modified

December 31, 2025

First Seen

October 29, 2025