cbcvebase.
CVE-2026-0545
published 2026-04-03

CVE-2026-0545: In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.39%
90.1th percentile
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.

Affected

21 ranges
VendorProductVersion rangeFixed in
mlflowmlflow_mlflow0 – 3.10.1
mlflowmlflow_mlflowunspecified – latest
rhoaiodh-mlflow-rhel9
rhoaiodh-pipeline-runtime-datascience-cpu-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-rocm-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-rocm-py312-rhel9
rhoaiodh-th06-cpu-torch210-py312-rhel9
rhoaiodh-th06-cuda130-torch210-py312-rhel9
rhoaiodh-th06-rocm64-torch291-py312-rhel9
rhoaiodh-training-cuda128-torch29-py312-rhel9
rhoaiodh-workbench-codeserver-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-trustyai-cpu-py312-rhel9

Detection & IOCsextracted from sources · hover to see the quote

url/ajax-api/3.0/jobs/*
  • Monitor for unauthenticated HTTP requests (no Authorization header) targeting the MLflow job API path /ajax-api/3.0/jobs/* on any MLflow server instance.
  • Flag MLflow servers where the environment variable MLFLOW_SERVER_ENABLE_JOB_EXECUTION is set to true, as this is a prerequisite for exploitability.
  • Alert on unauthenticated job submission, read, search, or cancel operations against /ajax-api/3.0/jobs/* endpoints, which may indicate authentication bypass exploitation.
  • Investigate job results and job execution logs for signs of shell execution or filesystem changes triggered via unauthenticated job submissions, as these indicate potential unauthenticated RCE.
  • ·The vulnerability is only exploitable when the basic-auth app is enabled AND job execution is enabled via the environment variable MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true AND at least one job function is allowlisted.
  • ·Even without privileged job functions, the authentication bypass alone enables job spam, denial of service, or data exposure in job results.
  • ·As of the published date (April 3, 2026), no fix was available for CVE-2026-0545.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.