CVE-2025-11200

Critical CVSS: 9.8

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Vendor

Lfprojects

Product

Mlflow

CWE

CWE-521

Yayın Tarihi

2025-10-29 20:15:35

Güncelleme

2025-12-31 01:06:20

Source Identifier

zdi-disclosures@trendmicro.com

KEV Date Added

Kategoriler

CWE-521 Mlflow CRITICAL Lfprojects 2025

Referanslar

https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54 https://www.zerodayinitiative.com/advisories/ZDI-25-932/

Benzer Kayıtlar

High

CVE-2026-34742

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does no…

Medium

CVE-2026-34237

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1,…

High

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby S…

Critical

CVE-2025-15031

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar a…

Medium

CVE-2026-29791

Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environmen…

High

CVE-2026-29064

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal…