Cyber Resilience

CVE-2026-0545

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0398 89.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0545 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

The vulnerability is an authentication bypass (CWE-306) in the mlflow/mlflow repository. The FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are left unprotected when the basic-auth application is enabled. It affects the latest version of the software whenever job execution is turned on via the `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true` setting and at least one job function has been allowlisted.

Any unauthenticated network client can therefore submit, read, search, or cancel jobs, completely bypassing basic-auth. When the allowlisted jobs include privileged operations such as shell execution or filesystem changes, this exposure can result in unauthenticated remote code execution; even without such jobs the flaw still permits job spam, denial of service, or leakage of job results. The issue carries a CVSS score of 9.8.

The sole reference is a huntr.com bounty report that describes the same conditions and impact; no separate advisory or patch information is supplied in the available references. The associated EPSS score has remained in a narrow band between its current value of 0.1124 and a peak of 0.1402.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function…

more

is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Authentication bypass in public-facing MLflow web application (T1190) enables unauthorized job submission, management, and potential RCE/DoS via job spam (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11201Same product: Lfprojects Mlflow
CVE-2026-2652Same product: Lfprojects Mlflow
CVE-2025-11200Same product: Lfprojects Mlflow
CVE-2025-1473Same product: Lfprojects Mlflow
CVE-2025-15031Same product: Lfprojects Mlflow
CVE-2025-0453Same product: Lfprojects Mlflow
CVE-2026-4035Same product: Lfprojects Mlflow
CVE-2025-14287Same product: Lfprojects Mlflow
CVE-2024-8859Same product: Lfprojects Mlflow
CVE-2026-0596Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on the /ajax-api/3.0/jobs/* endpoints so that basic-auth cannot be bypassed.

prevent

Restricts the privileged operations (shell, filesystem) that allowlisted jobs are permitted to perform, limiting impact of any unauthenticated job submission.

AC-17 Remote Access partial match
prevent

Requires explicit authorization and security controls for all remote access paths, closing the unauthenticated network-client exposure to the job endpoints.

References