AI Threat Alert

CVE-2026-0545: MLflow: auth bypass in job API enables unauthenticated RCE

GHSA-7qhf-v65m-g5f3 CRITICAL CISA: TRACK*
Published April 3, 2026
CISO Take

MLflow instances with basic-auth and job execution enabled expose all job management endpoints to unauthenticated access — any network-reachable attacker can submit and execute arbitrary jobs without credentials. Disable MLFLOW_SERVER_ENABLE_JOB_EXECUTION immediately if not actively required, and restrict /ajax-api/3.0/jobs/* to trusted network ranges via WAF or reverse proxy. If allowlisted jobs invoke shell commands or filesystem operations, treat this as a critical RCE in your ML training infrastructure until patched.

What is the risk?

Critical risk for exposed MLflow deployments with job execution enabled. CWE-306 (Missing Authentication for Critical Function) requires zero credentials and no specialized knowledge — basic HTTP requests suffice. The blast radius scales with job allowlist scope: read-only jobs become a data exposure and DoS vector; privileged jobs (shell, subprocess, filesystem) become full unauthenticated RCE. MLflow is commonly deployed in internal ML infrastructure that often has weaker network perimeter controls than production systems, making lateral movement a realistic follow-on risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
mlflow pip <= 3.10.1 No patch
26.0K OpenSSF 4.6 636 dependents Pushed 3d ago 26% patched ~58d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
11.5%
chance of exploitation in 30 days
Higher than 94% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
EPSS exploit prediction: 11%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

6 steps

  1. IMMEDIATE

    Set MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false unless actively required — this eliminates the attack surface entirely.

  2. NETWORK

    Restrict /ajax-api/3.0/jobs/* endpoints via WAF or reverse proxy to authenticated internal IP ranges; block from internet-facing surfaces.

  3. AUDIT

    Review all allowlisted job functions and remove any invoking shell execution, subprocess calls, or filesystem writes.

  4. DETECT

    Alert on POST/GET requests to /ajax-api/3.0/jobs/* endpoints in access logs, particularly from unexpected source IPs or without session cookies.

  5. PATCH

    Monitor the MLflow GitHub repository and huntr.com bounty b2e5b028 for official fix; apply immediately upon release.

  6. SEGMENT

    Verify MLflow is not directly internet-exposed; enforce VPN or bastion host access for all MLflow UIs and APIs.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution DoS Framework Training Data AML.T0025 AML.T0029 AML.T0034 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.9.3 - Access control to AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms exist to sustain effectiveness of risk management practices
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0545?

MLflow instances with basic-auth and job execution enabled expose all job management endpoints to unauthenticated access — any network-reachable attacker can submit and execute arbitrary jobs without credentials. Disable MLFLOW_SERVER_ENABLE_JOB_EXECUTION immediately if not actively required, and restrict /ajax-api/3.0/jobs/* to trusted network ranges via WAF or reverse proxy. If allowlisted jobs invoke shell commands or filesystem operations, treat this as a critical RCE in your ML training infrastructure until patched.

Is CVE-2026-0545 actively exploited?

No confirmed active exploitation of CVE-2026-0545 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0545?

1. IMMEDIATE: Set MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false unless actively required — this eliminates the attack surface entirely. 2. NETWORK: Restrict /ajax-api/3.0/jobs/* endpoints via WAF or reverse proxy to authenticated internal IP ranges; block from internet-facing surfaces. 3. AUDIT: Review all allowlisted job functions and remove any invoking shell execution, subprocess calls, or filesystem writes. 4. DETECT: Alert on POST/GET requests to /ajax-api/3.0/jobs/* endpoints in access logs, particularly from unexpected source IPs or without session cookies. 5. PATCH: Monitor the MLflow GitHub repository and huntr.com bounty b2e5b028 for official fix; apply immediately upon release. 6. SEGMENT: Verify MLflow is not directly internet-exposed; enforce VPN or bastion host access for all MLflow UIs and APIs.

What systems are affected by CVE-2026-0545?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model training pipelines, experiment tracking systems, ML job orchestration, model registry infrastructure.

What is the CVSS score for CVE-2026-0545?

CVE-2026-0545 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 11.48%.

Technical Details

NVD Description

In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.

Exploitation Scenario

An attacker performs internal network reconnaissance and identifies an MLflow instance on a predictable port (5000/5001). Despite seeing a basic-auth login prompt on the web UI, they probe the API directly: POST /ajax-api/3.0/jobs/runs/submit with a JSON payload succeeds without credentials. The attacker enumerates jobs via /ajax-api/3.0/jobs/list (also unauthenticated), identifies a model training job that invokes shell commands for data preprocessing, and submits a modified job payload executing a reverse shell. From there they gain persistent RCE on the ML training server, pivot to access training datasets in connected cloud storage (S3/GCS), exfiltrate proprietary model weights, and harvest cloud credentials from the MLflow environment configuration — all from a single unauthenticated HTTP request.

Weaknesses (CWE)

CWE-306 Primary CWE-306 Missing Authentication for Critical Function Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
April 3, 2026
Last Modified
April 6, 2026
First Seen
April 3, 2026

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed