Description

In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.

INFO

Published Date :

2026-04-03T17:03:12.833Z

Last Modified :

2026-04-03T17:49:22.749Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2026-0545 vulnerability.

Vendors Products
Mlflow
  • Mlflow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-0545.

URL Resource
https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact