CVE-2025-11200CRITICAL 9.8EPSS p68.2%

CVE-2025-11200CVE-2025-11200

Description

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.36% probability of exploitation · percentile 68.2% · 2026-06-21T12:00:28Z
Published2025-10-29
Last modified2025-12-31

Underlying weaknesses· 1

CWE-521

References

  1. https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54
  2. https://www.zerodayinitiative.com/advisories/ZDI-25-932/

1

TypeTargetConfidenceTier
WeaknessWeak Password Requirementscwe-5210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2635
CVE
CVE-2025-11201
CVE
Langflow Missing Authentication Vulnerability
CVE
CVE-2026-0545
CVE
CVE-2026-10803
CVE
CVE-2025-47995
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.