CVE-2026-0545
Published: 03 April 2026
Summary
CVE-2026-0545 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
The vulnerability is an authentication bypass (CWE-306) in the mlflow/mlflow repository. The FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are left unprotected when the basic-auth application is enabled. It affects the latest version of the software whenever job execution is turned on via the `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true` setting and at least one job function has been allowlisted.
Any unauthenticated network client can therefore submit, read, search, or cancel jobs, completely bypassing basic-auth. When the allowlisted jobs include privileged operations such as shell execution or filesystem changes, this exposure can result in unauthenticated remote code execution; even without such jobs the flaw still permits job spam, denial of service, or leakage of job results. The issue carries a CVSS score of 9.8.
The sole reference is a huntr.com bounty report that describes the same conditions and impact; no separate advisory or patch information is supplied in the available references. The associated EPSS score has remained in a narrow band between its current value of 0.1124 and a peak of 0.1402.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18809
Vulnerability details
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function…
more
is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mlflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing MLflow web application (T1190) enables unauthorized job submission, management, and potential RCE/DoS via job spam (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the /ajax-api/3.0/jobs/* endpoints so that basic-auth cannot be bypassed.
Restricts the privileged operations (shell, filesystem) that allowlisted jobs are permitted to perform, limiting impact of any unauthenticated job submission.
Requires explicit authorization and security controls for all remote access paths, closing the unauthenticated network-client exposure to the job endpoints.