AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-1474: In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerabil

mediumvulnerability

security

Source: NVD/CVE DatabaseMarch 20, 2025CVE-2025-1474

Summary

In MLflow (a machine learning workflow tool) version 2.18, administrators can create user accounts without requiring passwords, which violates security best practices and could allow unauthorized access to accounts. This vulnerability is classified under weak password requirements, meaning the system doesn't enforce strong authentication measures.

Solution / Mitigation

The issue is fixed in version 2.19.0. Users should upgrade MLflow from version 2.18 to version 2.19.0 or later.

Vulnerability Details

CVSS Score

5.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationTrivial

Impact (CIA+S)

integrityconfidentiality

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-521

Affected Vendors

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-1474

First tracked: February 15, 2026 at 08:46 PM

Classified by LLM (prompt v3) · confidence: 85%