CVE-2026-2635

CRITICAL LAB

MLflow - Unauthenticated Authentication Bypass via Default Credentials in basic_auth.ini

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2635. PoCs published by arif-s3d0, exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-2635, which leverages MLflow's default credentials and pickle deserialization to achieve unauthenticated remote code execution. The exploit automates the process of authenticating, discovering model metadata, crafting a malicious pickle payload, and registering it as a new model version to trigger RCE.

Description

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

Exploits (2)

github WORKING POC 1 stars

by arif-s3d0 · pythonpoc

https://github.com/arif-s3d0/cve/tree/master/CVE-2026-2635

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-2635, which leverages MLflow's default credentials and pickle deserialization to achieve unauthenticated remote code execution. The exploit automates the process of authenticating, discovering model metadata, crafting a malicious pickle payload, and registering it as a new model version to trigger RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MLflow 2.3.0 - 2.14.1

No auth needed

Prerequisites: Network access to MLflow instance · MLflow instance using default credentials (admin:password) · Application with /predict endpoint that uses MLflow models

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 24, 2026 Full analysis →

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-2635

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2026-2635, an authentication bypass vulnerability in MLflow due to hardcoded default credentials. The PoC scripts demonstrate authentication with default credentials, admin access confirmation, and backdoor user creation.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: MLflow v2.3.0 – v3.10.0+

No auth needed

Prerequisites: MLflow server with basic-auth enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_research-advisory

https://www.zerodayinitiative.com/advisories/ZDI-26-111/

Issue Tracking vendor-advisory

https://github.com/mlflow/mlflow/pull/19260

Related Analysis

72-Hour Stress Test

Scores

CVSS v3 9.8

EPSS 0.0152

EPSS Percentile 81.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

EIP LAB

patched docker pull ghcr.io/exploitintel/cve-2026-2635-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2026-2635-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-1393

Status published

Products (2)

MLflow/MLflow 3.4.0

pypi/mlflow 0 - 3.8.0rc0PyPI

Published Feb 20, 2026

Tracked Since Feb 21, 2026