Lucene search
K

1252 matches found

Positive Technologies
Positive Technologies
added 2026/03/07 12:0 a.m.6 views

PT-2026-23821

We at Tachyon found an auth bypass in MLflow https://tachyon.so/blog/cve-2025-14297-mlflow-authorization-bypass: 1. Black-box scanners would need to discover the right users, roles, and state transitions, then generate specific request sequences that trigger a gap: a combinatorial problem that...

5.8AI score
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/02/24 12:0 a.m.8 views

MLflow < 3.8.0 Authentication Bypass (ZDI-26-111)

The version of MLflow installed on the remote host is prior to 3.8.0. It is, therefore, affected by an authentication bypass vulnerability: - A use of default password vulnerability exists in the basicauth.ini file. The file contains hard-coded default credentials that allow remote, unauthenticat...

9.8CVSS6.2AI score0.00968EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/22 1:28 a.m.6 views

CVE-2026-2033

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific fla...

8.1CVSS6.6AI score0.01682EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/22 1:28 a.m.6 views

CVE-2026-2635

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...

9.8CVSS6.3AI score0.00968EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/02/21 12:35 a.m.7 views

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +765 more potentially affected by CVE-2026-2033 via mlflow-skinny (>=3.0.0 <=3.8.0)

mlflow-skinny PYPI version =3.0.0, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2026-2033 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16698157...

8.1CVSS7.2AI score0.01682EPSS
Exploits0
Snyk
Snyk
added 2026/02/21 12:35 a.m.4 views

Directory Traversal

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the 'findrunroot function in the FileStore...

8.4CVSS6.5AI score0.01682EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/02/21 12:35 a.m.5 views

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +702 more potentially affected by CVE-2026-2033 via mlflow (>=3.0.0rc2 <=3.6.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2026-2033 Source advisory: SNYK:PYTHON-MLFLOW-15325640...

8.1CVSS7.2AI score0.01682EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/02/21 12:35 a.m.2 views

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +725 more potentially affected by CVE-2026-2635 via mlflow (>=2.3.2 <=3.9.0)

mlflow PYPI version =2.3.2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2026-2635 Source advisory: SNYK:PYTHON-MLFLOW-15325638...

9.8CVSS7.2AI score0.00968EPSS
Exploits0
Snyk
Snyk
added 2026/02/21 12:35 a.m.2 views

Use of Default Credentials

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Use of Default Credentials in the basicauth.ini file. An attacker...

9.8CVSS7.7AI score0.00968EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/02/21 12:31 a.m.4 views

a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +952 more potentially affected by CVE-2026-2033 via mlflow (>=0.8.2 <=3.6.0rc0)

mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2026-2033 Source advisory: OSV:GHSA-Q2R8-VMQ7-FPX2...

8.1CVSS7.2AI score0.01682EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/02/21 12:31 a.m.2 views

a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +952 more potentially affected by CVE-2026-2635 via mlflow (>=0.8.2 <=3.6.0rc0)

mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2026-2635 Source advisory: OSV:GHSA-GQ3W-7JJ3-X7GR...

9.8CVSS7.2AI score0.00968EPSS
Exploits0
OSV
OSV
added 2026/02/21 12:31 a.m.4 views

GHSA-Q2R8-VMQ7-FPX2 MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific fla...

8.1CVSS6.3AI score0.01682EPSS
Exploits0References6
OSV
OSV
added 2026/02/21 12:31 a.m.4 views

GHSA-GQ3W-7JJ3-X7GR MLflow Use of Default Password Authentication Bypass Vulnerability

This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...

9.8CVSS6.2AI score0.00968EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/02/21 12:31 a.m.8 views

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific fla...

8.1CVSS6.3AI score0.01682EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/21 12:31 a.m.10 views

MLflow Use of Default Password Authentication Bypass Vulnerability

This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...

9.8CVSS6.2AI score0.00968EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2026/02/20 11:16 p.m.17 views

CVE-2026-2635

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...

9.8CVSS0.00968EPSS
Exploits0References5
OSV
OSV
added 2026/02/20 11:16 p.m.2 views

CVE-2026-2033

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific fla...

8.1CVSS6.3AI score
Exploits0References2
NVD
NVD
added 2026/02/20 11:16 p.m.10 views

CVE-2026-2033

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific fla...

8.1CVSS0.01682EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/20 10:25 p.m.26 views

CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...

9.8CVSS0.00968EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/20 10:25 p.m.4 views

CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...

9.8CVSS6.1AI score0.00968EPSS
Exploits0References2
Rows per page
Query Builder