Authentication Bypass Vulnerability in MLflow by Databricks
CVE-2025-11200

8.1HIGH

Key Information:

Vendor: Mlflow
Status: Mlflow
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-11200?

This vulnerability in MLflow arises from inadequate password requirements, enabling attackers to bypass authentication entirely. By exploiting this flaw, remote adversaries can access sensitive functions without proper authentication, posing a significant risk to the data integrity and security of the affected systems. It is crucial for users of MLflow to assess their installations and implement stronger password policies to mitigate this vulnerability.

Affected Version(s)

MLflow 2.21.0

References

https://www.zerodayinitiative.com/advisories/ZDI-25-932/

x_research-advisory

https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927...

vendor-advisory

CVSS V3.0

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Sep 30, 2025

JSON

Mlflow

What is CVE-2025-11200?

Affected Version(s)

References

CVSS V3.0

Timeline