CVE-2026-2635 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

MLflow's basic_auth.ini ships with hardcoded default credentials, meaning any attacker with network access to your MLflow instance can bypass authentication and execute arbitrary code as administrator — no credentials needed beyond the publicly known defaults. If MLflow is reachable from the internet or an untrusted network segment, treat this as a critical incident: isolate, patch via PR #19260, and rotate all credentials immediately. Audit access logs for unauthorized activity dating back to February 2026.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 3.8.0rc0	`3.8.0rc0`

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.7%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Advanced

Recommended Action

Immediate (0-24h): (1) Determine if MLflow is internet-exposed or accessible from untrusted networks — isolate if so. (2) Apply patch from MLflow PR #19260 or upgrade to a fixed version. (3) Change all credentials in basic_auth.ini; do not rely on defaults. (4) Review access logs for unexpected admin activity since 2026-02-20. Short-term (1-7 days): (5) Enforce network-level access controls — MLflow should never be internet-facing without a reverse proxy enforcing authentication. (6) Replace basic_auth with a proper IdP integration (OIDC/SAML). (7) Audit all registered models and artifacts for tampering or unexpected modifications. Detection: Alert on authentication events to MLflow admin endpoints; monitor for new model registrations or artifact uploads from unexpected sources.

Classification

Model Poisoning Code Execution Auth Bypass Framework RAG Model AML.T0007 - Discover AI Artifacts AML.T0010.001 - AI Software AML.T0012 - Valid Accounts AML.T0018 - Manipulate AI Model AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Information security in AI system development A.6.2.5 - AI system security controls A.9.2 - User access management A.9.4 - System and application access control

NIST AI RMF

GOVERN 1.2 - Policies, processes, and practices are in place GOVERN 6.2 - Contingency processes for AI risks are in place MANAGE 2.2 - Mechanisms are in place to start, stop, or pause AI system operation MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM08 - Excessive Agency LLM08:2025 - Vector and Embedding Weaknesses

Technical Details

NVD Description

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

Exploitation Scenario

An attacker performs passive reconnaissance (Shodan, Censys) to identify internet-exposed MLflow instances. Using the publicly documented default credentials from basic_auth.ini — trivially extractable from the MLflow open-source repo — they authenticate as administrator with no exploitation tooling required. From there, they enumerate all registered models and experiments, exfiltrate proprietary models and training data, and inject a poisoned model version into the registry pointing to a backdoored artifact. The production serving infrastructure, configured to pull the 'latest' version from the registry, automatically deploys the malicious model. The attacker maintains persistence through the MLflow admin account while the poisoned model silently operates in production — potentially for weeks before detection.

Weaknesses (CWE)

CWE-1393 Primary CWE-1393 Use of Default Password Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

February 20, 2026

Last Modified

March 17, 2026

First Seen

February 20, 2026