MLflow shipped admin:password1234 as default creds – and that's just one finding (medium.com)

A recent static analysis of the open-source MLflow platform, a tool for managing machine learning lifecycles, revealed nine critical security vulnerabilities, including hardcoded default admin credentials ('admin:password1234') shipped intentionally. These findings were reported via GitHub Security Advisories by analyst Sreejith Gopinath and prompted rapid engagement from Databricks, the platform's steward. Notably, all vulnerabilities were addressed within a day of escalation, indicating a swift response from the vendor. The implications of these findings are significant for the AI/ML community, as MLflow is widely used in data science environments for managing model artifacts and credentials. The exposed default admin credentials pose a substantial risk if the platform is deployed without proper configuration. Other notable vulnerabilities included potential command and code injections, highlighting the importance of secure coding practices within machine learning infrastructure. Fixes have been implemented in the latest MLflow release (version 3.12.0), underscoring the community's ongoing commitment to improving security standards in AI tools.