CVE-2026-0545: MLflow: auth bypass in job API enables unauthenticated RCE

GHSA-7qhf-v65m-g5f3 CRITICAL NUCLEI TEMPLATE CISA: TRACK*
Published April 3, 2026
CISO Take

MLflow instances with basic-auth and job execution enabled expose all job management endpoints to unauthenticated access — any network-reachable attacker can submit and execute arbitrary jobs without credentials. Disable MLFLOW_SERVER_ENABLE_JOB_EXECUTION immediately if not actively required, and restrict /ajax-api/3.0/jobs/* to trusted network ranges via WAF or reverse proxy. If allowlisted jobs invoke shell commands or filesystem operations, treat this as a critical RCE in your ML training infrastructure until patched.

What is the risk?

Critical risk for exposed MLflow deployments with job execution enabled. CWE-306 (Missing Authentication for Critical Function) requires zero credentials and no specialized knowledge — basic HTTP requests suffice. The blast radius scales with job allowlist scope: read-only jobs become a data exposure and DoS vector; privileged jobs (shell, subprocess, filesystem) become full unauthenticated RCE. MLflow is commonly deployed in internal ML infrastructure that often has weaker network perimeter controls than production systems, making lateral movement a realistic follow-on risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip <= 3.10.1 No patch
26.7K OpenSSF 5.4 655 dependents Pushed 6d ago 31% patched ~76d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
4.4%
chance of exploitation in 30 days
Higher than 90% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

6 steps
  1. IMMEDIATE

    Set MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false unless actively required — this eliminates the attack surface entirely.

  2. NETWORK

    Restrict /ajax-api/3.0/jobs/* endpoints via WAF or reverse proxy to authenticated internal IP ranges; block from internet-facing surfaces.

  3. AUDIT

    Review all allowlisted job functions and remove any invoking shell execution, subprocess calls, or filesystem writes.

  4. DETECT

    Alert on POST/GET requests to /ajax-api/3.0/jobs/* endpoints in access logs, particularly from unexpected source IPs or without session cookies.

  5. PATCH

    Monitor the MLflow GitHub repository and huntr.com bounty b2e5b028 for official fix; apply immediately upon release.

  6. SEGMENT

    Verify MLflow is not directly internet-exposed; enforce VPN or bastion host access for all MLflow UIs and APIs.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.9.3 - Access control to AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms exist to sustain effectiveness of risk management practices
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0545?

MLflow instances with basic-auth and job execution enabled expose all job management endpoints to unauthenticated access — any network-reachable attacker can submit and execute arbitrary jobs without credentials. Disable MLFLOW_SERVER_ENABLE_JOB_EXECUTION immediately if not actively required, and restrict /ajax-api/3.0/jobs/* to trusted network ranges via WAF or reverse proxy. If allowlisted jobs invoke shell commands or filesystem operations, treat this as a critical RCE in your ML training infrastructure until patched.

Is CVE-2026-0545 actively exploited?

No confirmed active exploitation of CVE-2026-0545 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0545?

1. IMMEDIATE: Set MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false unless actively required — this eliminates the attack surface entirely. 2. NETWORK: Restrict /ajax-api/3.0/jobs/* endpoints via WAF or reverse proxy to authenticated internal IP ranges; block from internet-facing surfaces. 3. AUDIT: Review all allowlisted job functions and remove any invoking shell execution, subprocess calls, or filesystem writes. 4. DETECT: Alert on POST/GET requests to /ajax-api/3.0/jobs/* endpoints in access logs, particularly from unexpected source IPs or without session cookies. 5. PATCH: Monitor the MLflow GitHub repository and huntr.com bounty b2e5b028 for official fix; apply immediately upon release. 6. SEGMENT: Verify MLflow is not directly internet-exposed; enforce VPN or bastion host access for all MLflow UIs and APIs.

What systems are affected by CVE-2026-0545?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model training pipelines, experiment tracking systems, ML job orchestration, model registry infrastructure.

What is the CVSS score for CVE-2026-0545?

CVE-2026-0545 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 4.39%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel training pipelinesexperiment tracking systemsML job orchestrationmodel registry infrastructure

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.

Exploitation Scenario

An attacker performs internal network reconnaissance and identifies an MLflow instance on a predictable port (5000/5001). Despite seeing a basic-auth login prompt on the web UI, they probe the API directly: POST /ajax-api/3.0/jobs/runs/submit with a JSON payload succeeds without credentials. The attacker enumerates jobs via /ajax-api/3.0/jobs/list (also unauthenticated), identifies a model training job that invokes shell commands for data preprocessing, and submits a modified job payload executing a reverse shell. From there they gain persistent RCE on the ML training server, pivot to access training datasets in connected cloud storage (S3/GCS), exfiltrate proprietary model weights, and harvest cloud credentials from the MLflow environment configuration — all from a single unauthenticated HTTP request.

Weaknesses (CWE)

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Timeline

Published
April 3, 2026
Last Modified
June 30, 2026
First Seen
April 3, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-0545.yaml -u https://target.example.com

Related Vulnerabilities