CVE-2025-1474

Name of the Vulnerable Software and Affected Versions mlflow/mlflow version 2.18

Description In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

Recommendations For mlflow/mlflow version 2.18, update to version 2.19.0 to resolve the issue. As a temporary workaround, consider disabling the creation of new user accounts without passwords until a patch is available. Restrict access to the user account management functionality to minimize the risk of exploitation. Avoid creating new user accounts without setting a password in the affected version until the issue is resolved.