Introduction
Unauthorized access to machine learning experiment data and models can lead to data leaks, model theft, or tampering with production pipelines. MLflow, a popular open-source platform for managing the machine learning lifecycle, was recently found to have a critical flaw that allows attackers to bypass authentication entirely on some deployments.
About MLflow: MLflow is an open-source platform developed by Databricks for managing the end-to-end machine learning lifecycle. It is widely used in research and enterprise environments, with a large user base and integration across many ML stacks. MLflow supports experiment tracking, model packaging, deployment, and registry features, making it a core component in many data science workflows.
Technical Information
CVE-2025-11200 is a high-severity authentication bypass vulnerability in MLflow, assigned a CVSS score of 8.1. The root cause is weak password requirements in the authentication system. Specifically, MLflow's signup and authentication forms did not enforce any minimum password length or complexity, allowing users (or attackers) to create accounts with weak or even empty passwords. This made it trivial for remote attackers to guess or brute-force credentials and gain unauthorized access.
The vulnerable logic was present in the authentication module, where password fields lacked proper validation. The official patch (commit 1f74f3f) added a minlength=4 constraint to both the username and password fields in the signup form. Prior to this, there was no such restriction, which is a classic example of CWE-521 (Weak Password Requirements).
Related Issue: CVE-2025-1474 is a closely related vulnerability where administrators could create accounts with no password at all, further highlighting the lack of robust validation in MLflow's authentication mechanisms.
Affected Systems and Versions
- MLflow versions prior to 2.19.0 are affected.
- The vulnerability impacts deployments with basic authentication enabled (via
--app-name basic-auth). - All configurations where user signup or password changes are possible without strong validation are at risk.
Vendor Security History
MLflow has faced several security issues in recent years, including:
- CVE-2023-6018: Arbitrary file write via artifact path handling
- CVE-2024-2928: Local file inclusion via URI fragment manipulation
- CVE-2025-1474: Account creation without password
Databricks, the primary maintainer, typically issues patches promptly after responsible disclosure. However, the recurrence of authentication and input validation flaws suggests ongoing architectural challenges in MLflow's security model.
