Critical MLflow Vulnerabilities Enable Authentication Bypass and RCE
MLflow disclosed and patched multiple high-severity vulnerabilities affecting deployments of the MLflow platform, including an authentication bypass due to default credentials in basic_auth.ini tracked as CVE-2026-2635 (ZDI-26-111). The issue allows unauthenticated remote attackers to bypass authentication and potentially execute arbitrary code with administrator context; ZDI scored it CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and credited the finding to Peter Girnus (@gothburz) via Trend Micro’s Zero Day Initiative (ZDI).
A separate MLflow Tracking Server flaw, CVE-2026-2033, enables directory traversal leading to remote code execution via improper validation of user-supplied artifact file paths in the artifact handler. Exploitation requires no authentication and can result in code execution in the context of the MLflow service account. Both issues reference the same upstream remediation in MLflow (https://github.com/mlflow/mlflow/pull/19260) and were published through ZDI advisories (including ZDI-26-111 for CVE-2026-2635 and ZDI-26-105 for CVE-2026-2033), indicating coordinated fixes are available and should be prioritized for exposed MLflow instances.
Timeline
Feb 23, 2026
Nuclei template added to detect exposed MLflow default credentials
A ProjectDiscovery nuclei-templates pull request added detection logic for CVE-2026-2635. The template tested whether internet-exposed MLflow instances still accepted the default admin credentials admin:password1234 and confirmed administrative access through the users API.
Feb 20, 2026
CVE-2026-2033 published for MLflow directory traversal RCE
A separate MLflow vulnerability, CVE-2026-2033, was published describing a directory traversal flaw in the tracking server artifact handler. The issue could be exploited remotely without authentication to execute arbitrary code in the service account context.
Feb 19, 2026
CVE-2026-2635 publicly disclosed via ZDI advisory
Zero Day Initiative publicly disclosed ZDI-26-111 / CVE-2026-2635, describing a high-severity MLflow authentication bypass caused by hard-coded default credentials. The advisory stated remote unauthenticated attackers could gain access and potentially achieve arbitrary code execution in the administrator context.
Feb 19, 2026
MLflow releases fix for CVE-2026-2635
Before public disclosure, MLflow released an update addressing the default-password authentication bypass vulnerability tracked as CVE-2026-2635. References to an MLflow GitHub pull request indicate the vendor made code changes to remediate the issue.
Oct 14, 2025
ZDI reports MLflow default-credentials flaw to vendor
Trend Micro’s Zero Day Initiative reported ZDI-CAN-28256, later assigned CVE-2026-2635, to the MLflow vendor. The flaw involved hard-coded default credentials in MLflow’s basic_auth.ini file that could allow authentication bypass and lead to code execution as an administrator.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
MLflow and BentoML Flaws Enable Host Code Execution via Malicious AI Model Artifacts
High-severity vulnerabilities in **MLflow** and **BentoML** exposed AI model deployment workflows to arbitrary code execution on host systems through malicious model packages. In **CVE-2025-15379**, MLflow's model serving container initialization code improperly interpolated dependency data from a model artifact's `python_env.yaml` into a shell command inside `_install_model_dependencies_to_env()` when `env_manager=LOCAL` was used, creating a command injection path. The issue affects **MLflow 3.8.0** and was fixed in **3.8.2**; the flaw carries **CWE-77** and a **CVSS 9.8**-equivalent vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`. In **CVE-2026-35044**, BentoML's `generate_containerfile()` function rendered user-supplied `dockerfile_template` files with an unsandboxed **Jinja2** environment and the `jinja2.ext.do` extension, allowing a malicious bento archive to execute arbitrary Python code on the host when a victim ran `bentoml containerize`. The vulnerability affects versions before **1.4.38** and was fixed in **1.4.38**; it is classified as **CWE-1336** with a **CVSS 8.8** vector of `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`. Together, the disclosures highlight a growing risk in MLOps tooling where importing or deploying untrusted model artifacts can bypass expected isolation and compromise build or serving infrastructure.
3 weeks ago
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
1 months ago
Active Exploitation of Flowise CustomMCP RCE Exposes Thousands of Internet-Facing Instances
Threat actors are actively exploiting **CVE-2025-59528**, a **CVSS 10.0** remote code execution flaw in the open-source AI platform **Flowise**. The bug affects Flowise versions through **3.0.5** and stems from the `CustomMCP` node unsafely passing user-controlled input into JavaScript execution, allowing attackers with an API token to run arbitrary code with full **Node.js** runtime privileges. Researchers said the issue can be triggered remotely via a crafted HTTP `POST` request without user interaction, leading to operating system command execution, filesystem access, sensitive data theft, and full system compromise. Security researchers observed in-the-wild exploitation originating from a single **Starlink IP address**, while warning that roughly **12,000 to 15,000** internet-exposed Flowise instances sharply expand the attack surface for opportunistic attacks. Flowise disclosed the vulnerability in 2025, credited researcher **Kim SooHyun**, and patched the flaw in **version 3.0.6**. The incident marks the third Flowise vulnerability reported as exploited in the wild after **CVE-2025-8943** and **CVE-2025-26319**, increasing pressure on organizations to upgrade immediately and limit public exposure of Flowise APIs.
1 weeks ago