Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/50290?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50290?format=api", "vulnerability_id": "VCID-tbbj-9qan-ubgg", "summary": "MLflow Use of Default Password Authentication Bypass Vulnerability\nThis vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.", "aliases": [ { "alias": "CVE-2026-2635" }, { "alias": "GHSA-gq3w-7jj3-x7gr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49209?format=api", "purl": "pkg:pypi/mlflow@3.8.0rc0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu1t-7wnm-y7hk" }, { "vulnerability": "VCID-g9p5-4cqv-qfew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mlflow@3.8.0rc0" } ], "affected_packages": [], "references": [ { "reference_url": "https://github.com/mlflow/mlflow", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow" }, { "reference_url": "https://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4" }, { "reference_url": "https://github.com/mlflow/mlflow/pull/19260", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/pull/19260" }, { "reference_url": "https://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-26-111", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-111" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2635", "reference_id": "CVE-2026-2635", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2635" }, { "reference_url": "https://github.com/advisories/GHSA-gq3w-7jj3-x7gr", "reference_id": "GHSA-gq3w-7jj3-x7gr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gq3w-7jj3-x7gr" } ], "weaknesses": [ { "cwe_id": 1393, "name": "Use of Default Password", "description": "The product uses default passwords for potentially critical functionality." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tbbj-9qan-ubgg" }