We use cookies to improve your experience on our site.
AVID-2026-R1652
Description
Weak Password Requirements in mlflow/mlflow (CVE-2025-1474)
Details
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.
Reason for inclusion in AVID: The CVE describes a security vulnerability in mlflow (an AI/ML tooling/framework) where an admin can create a user without a password. Mlflow is used in AI pipelines and deployment workflows; this vulnerability affects the software supply chain for general-purpose AI systems, is a CVE-style vulnerability (weak password requirements), and the report provides affected version, fix version, and references.
References
- NVD entry
- https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d
- https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17
Affected or Relevant Artifacts
- Developer: mlflow
- Deployer: mlflow
- Artifact Details:
| Type | Name |
|---|---|
| System | mlflow/mlflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
| Base Score | 3.8 |
| Base Severity | 🟢 Low |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🔴 High |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🟢 Low |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-521 | CWE-521 Weak Password Requirements |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry