CVE-2026-0545
Published: 03 April 2026
Summary
CVE-2026-0545 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 requires defining and restricting actions performable without identification or authentication, directly preventing unauthenticated access to vulnerable MLflow job endpoints.
AC-3 enforces approved authorizations for logical access, ensuring FastAPI job endpoints under /ajax-api/3.0/jobs/* require authentication despite basic-auth configuration.
IA-2 mandates identification and authentication for organizational users, mitigating the authentication bypass allowing unauthorized job submission, reading, searching, and cancellation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing MLflow web application (T1190) enables unauthorized job submission, management, and potential RCE/DoS via job spam (T1499.004).
NVD Description
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function…
more
is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
Deeper analysisAI
CVE-2026-0545 is a critical authentication bypass vulnerability (CVSS 9.8, CWE-306) in mlflow/mlflow, affecting the latest version of the repository. The FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled, allowing unauthorized access despite basic-auth configuration.
Any network client can exploit this vulnerability without privileges if job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted. Attackers can submit, read, search, and cancel jobs without credentials, fully bypassing basic-auth. This may enable unauthenticated remote code execution if allowlisted jobs perform privileged actions like shell execution or filesystem changes; otherwise, it still permits job spam, denial of service (DoS), or exposure of data in job results.
Mitigation details are available in the Huntr.com bounty advisory at https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8.
Mlflow manages end-to-end machine learning lifecycles, making this vulnerability particularly relevant to AI/ML infrastructure deployments. No real-world exploitation has been reported.
Details
- CWE(s)