CVE-2026-0545

CriticalPublic PoC

Published: 03 April 2026

Published

03 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0550 90.3th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Description

In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function…

is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 requires defining and restricting actions performable without identification or authentication, directly preventing unauthenticated access to vulnerable MLflow job endpoints.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for logical access, ensuring FastAPI job endpoints under /ajax-api/3.0/jobs/* require authentication despite basic-auth configuration.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

IA-2 mandates identification and authentication for organizational users, mitigating the authentication bypass allowing unauthorized job submission, reading, searching, and cancellation.

Security SummaryAI

CVE-2026-0545 is a critical authentication bypass vulnerability (CVSS 9.8, CWE-306) in mlflow/mlflow, affecting the latest version of the repository. The FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled, allowing unauthorized access despite basic-auth configuration.

Any network client can exploit this vulnerability without privileges if job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted. Attackers can submit, read, search, and cancel jobs without credentials, fully bypassing basic-auth. This may enable unauthenticated remote code execution if allowlisted jobs perform privileged actions like shell execution or filesystem changes; otherwise, it still permits job spam, denial of service (DoS), or exposure of data in job results.

Mitigation details are available in the Huntr.com bounty advisory at https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8.

Mlflow manages end-to-end machine learning lifecycles, making this vulnerability particularly relevant to AI/ML infrastructure deployments. No real-world exploitation has been reported.

Details

CWE(s): CWE-306

Affected Products

lfprojects

mlflow

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Authentication bypass in public-facing MLflow web application (T1190) enables unauthorized job submission, management, and potential RCE/DoS via job spam (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8
Third Party Advisory, Exploit · security@huntr.dev