CVE-2026-0545
published 2026-04-03CVE-2026-0545: In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.39%
90.1th percentile
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mlflow | mlflow_mlflow | 0 – 3.10.1 | — |
| mlflow | mlflow_mlflow | unspecified – latest | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-training-cuda128-torch29-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP requests (no Authorization header) targeting the MLflow job API path /ajax-api/3.0/jobs/* on any MLflow server instance. ↗
- →Flag MLflow servers where the environment variable MLFLOW_SERVER_ENABLE_JOB_EXECUTION is set to true, as this is a prerequisite for exploitability. ↗
- →Alert on unauthenticated job submission, read, search, or cancel operations against /ajax-api/3.0/jobs/* endpoints, which may indicate authentication bypass exploitation. ↗
- →Investigate job results and job execution logs for signs of shell execution or filesystem changes triggered via unauthenticated job submissions, as these indicate potential unauthenticated RCE. ↗
- ·The vulnerability is only exploitable when the basic-auth app is enabled AND job execution is enabled via the environment variable MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true AND at least one job function is allowlisted. ↗
- ·Even without privileged job functions, the authentication bypass alone enables job spam, denial of service, or data exposure in job results. ↗
- ·As of the published date (April 3, 2026), no fix was available for CVE-2026-0545. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
osv·2026-04-03
CVE-2026-0545 [CRITICAL] mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially
GHSA
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
ghsa·2026-04-03
CVE-2026-0545 [CRITICAL] CWE-306 mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially
Red Hat
mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints
vendor_redhat·2026-04-03·CVSS 9.8
CVE-2026-0545 [CRITICAL] CWE-306 mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints
mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in j
No detection rules found.
Nuclei
MLflow Job API - Authentication Bypass
nuclei·CVSS 9.8
CVE-2026-0545 [CRITICAL] MLflow Job API - Authentication Bypass
MLflow Job API - Authentication Bypass
MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.
Template:
id: CVE-2026-0545
info:
name: MLflow Job API - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.
impact: |
Unauthenticated attackers can execut
Wiz
CVE-2026-2635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2635 [CRITICAL] CVE-2026-2635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2635 :
MLflow vulnerability analysis and mitigation
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
MLflow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pr
Wiz
CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2033 [CRITICAL] CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2033 :
MLflow vulnerability analysis and mitigation
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit No
Has C
Wiz
CVE-2025-15381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15381 [CRITICAL] CVE-2025-15381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15381 :
MLflow vulnerability analysis and mitigation
basic-auth
NO_PERMISSIONS
mlflow server --app-name=basic-auth
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33865 [CRITICAL] CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33865 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33866 [CRITICAL] CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33866 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity MEDIUM
Wiz
CVE-2025-15036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15036 [CRITICAL] CVE-2025-15036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15036 :
MLflow vulnerability analysis and mitigation
extract_archive_to_dir
mlflow/pyfunc/dbconnect_artifact_cache.py
Source : NVD
## 9.6
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2025-14287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14287 [HIGH] CVE-2025-14287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14287 :
MLflow vulnerability analysis and mitigation
mlflow/sagemaker/__init__.py
os.system()
--container
Source : NVD
## 7.5
Score
Published March 16, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2025-14279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14279 [HIGH] CVE-2025-14279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14279 :
MLflow vulnerability analysis and mitigation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.
Source : NVD
## 8.1
Score
Published January 12, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2025-10279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-10279 [HIGH] CVE-2025-10279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10279 :
MLflow vulnerability analysis and mitigation
/tmp
.py
Source : NVD
## 7
Score
Published February 2, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
MLflow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2025-15379
CRITICAL
10
MLflow
Wiz
CVE-2025-15379 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15379 [CRITICAL] CVE-2025-15379 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15379 :
MLflow vulnerability analysis and mitigation
_install_model_dependencies_to_env()
env_manager=LOCAL
python_env.yaml
Source : NVD
## 10
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 46.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-0545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-0545 [CRITICAL] CVE-2026-0545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0545 :
MLflow vulnerability analysis and mitigation
/ajax-api/3.0/jobs/*
basic-auth
MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true
Source : NVD
## 9.1
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 42.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL No Fix Added at: Apr 07, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV e
Bugzilla
CVE-2026-0545 mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints
bugzilla·2026-04-03·CVSS 9.8
CVE-2026-0545 [CRITICAL] CVE-2026-0545 mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints
CVE-2026-0545 mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially
2026-04-03
Published