CVE-2026-0545
Received Received - Intake
Authentication Bypass in MLflow FastAPI Jobs Enables RCE

Publication date: 2026-04-03

Last updated on: 2026-04-21

Assigner: huntr.dev

Description
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0545
EUVD
EUVD-2026-18809
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects mlflow *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the mlflow/mlflow project where the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled.

If job execution is enabled and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without providing credentials, effectively bypassing the basic authentication.

This can lead to unauthenticated remote code execution if the allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if the jobs are safe, this still represents an authentication bypass that can result in job spam, denial of service, or exposure of data in job results.

Impact Analysis

This vulnerability can have several serious impacts:

  • Unauthenticated remote code execution if allowed jobs perform privileged actions.
  • Bypassing authentication, allowing any network client to submit, read, search, and cancel jobs.
  • Potential job spam which could overwhelm the system.
  • Denial of Service (DoS) due to abuse of job execution.
  • Exposure of sensitive data in job results.
Mitigation Strategies

To mitigate this vulnerability, ensure that the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are properly protected by authentication and authorization even when the `basic-auth` app is enabled.

Disable job execution by setting `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false` if job execution is not required.

Review and restrict the allowlisted job functions to prevent any privileged actions such as shell execution or filesystem changes.

Apply any available patches or updates from the mlflow repository that address this authentication bypass.

Compliance Impact

This vulnerability allows unauthenticated access to job endpoints, bypassing authentication and authorization controls. Such unauthorized access can lead to data exposure in job results and potential denial of service, which may violate data protection and security requirements mandated by standards like GDPR and HIPAA.

Specifically, the lack of proper authentication could result in unauthorized disclosure of sensitive information or manipulation of job executions, undermining confidentiality and integrity principles essential for compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0545. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart