CVE-2026-0545: MLflow: auth bypass in job API enables unauthenticated RCE
GHSA-7qhf-v65m-g5f3 CRITICAL NUCLEI TEMPLATE CISA: TRACK*MLflow instances with basic-auth and job execution enabled expose all job management endpoints to unauthenticated access — any network-reachable attacker can submit and execute arbitrary jobs without credentials. Disable MLFLOW_SERVER_ENABLE_JOB_EXECUTION immediately if not actively required, and restrict /ajax-api/3.0/jobs/* to trusted network ranges via WAF or reverse proxy. If allowlisted jobs invoke shell commands or filesystem operations, treat this as a critical RCE in your ML training infrastructure until patched.
What is the risk?
Critical risk for exposed MLflow deployments with job execution enabled. CWE-306 (Missing Authentication for Critical Function) requires zero credentials and no specialized knowledge — basic HTTP requests suffice. The blast radius scales with job allowlist scope: read-only jobs become a data exposure and DoS vector; privileged jobs (shell, subprocess, filesystem) become full unauthenticated RCE. MLflow is commonly deployed in internal ML infrastructure that often has weaker network perimeter controls than production systems, making lateral movement a realistic follow-on risk.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| MLflow | pip | <= 3.10.1 | No patch |
Do you use MLflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
IMMEDIATE
Set MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false unless actively required — this eliminates the attack surface entirely.
-
NETWORK
Restrict /ajax-api/3.0/jobs/* endpoints via WAF or reverse proxy to authenticated internal IP ranges; block from internet-facing surfaces.
-
AUDIT
Review all allowlisted job functions and remove any invoking shell execution, subprocess calls, or filesystem writes.
-
DETECT
Alert on POST/GET requests to /ajax-api/3.0/jobs/* endpoints in access logs, particularly from unexpected source IPs or without session cookies.
-
PATCH
Monitor the MLflow GitHub repository and huntr.com bounty b2e5b028 for official fix; apply immediately upon release.
-
SEGMENT
Verify MLflow is not directly internet-exposed; enforce VPN or bastion host access for all MLflow UIs and APIs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-0545?
MLflow instances with basic-auth and job execution enabled expose all job management endpoints to unauthenticated access — any network-reachable attacker can submit and execute arbitrary jobs without credentials. Disable MLFLOW_SERVER_ENABLE_JOB_EXECUTION immediately if not actively required, and restrict /ajax-api/3.0/jobs/* to trusted network ranges via WAF or reverse proxy. If allowlisted jobs invoke shell commands or filesystem operations, treat this as a critical RCE in your ML training infrastructure until patched.
Is CVE-2026-0545 actively exploited?
No confirmed active exploitation of CVE-2026-0545 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-0545?
1. IMMEDIATE: Set MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false unless actively required — this eliminates the attack surface entirely. 2. NETWORK: Restrict /ajax-api/3.0/jobs/* endpoints via WAF or reverse proxy to authenticated internal IP ranges; block from internet-facing surfaces. 3. AUDIT: Review all allowlisted job functions and remove any invoking shell execution, subprocess calls, or filesystem writes. 4. DETECT: Alert on POST/GET requests to /ajax-api/3.0/jobs/* endpoints in access logs, particularly from unexpected source IPs or without session cookies. 5. PATCH: Monitor the MLflow GitHub repository and huntr.com bounty b2e5b028 for official fix; apply immediately upon release. 6. SEGMENT: Verify MLflow is not directly internet-exposed; enforce VPN or bastion host access for all MLflow UIs and APIs.
What systems are affected by CVE-2026-0545?
This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model training pipelines, experiment tracking systems, ML job orchestration, model registry infrastructure.
What is the CVSS score for CVE-2026-0545?
CVE-2026-0545 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 4.39%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0029 Denial of AI Service AML.T0034 Cost Harvesting AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
Exploitation Scenario
An attacker performs internal network reconnaissance and identifies an MLflow instance on a predictable port (5000/5001). Despite seeing a basic-auth login prompt on the web UI, they probe the API directly: POST /ajax-api/3.0/jobs/runs/submit with a JSON payload succeeds without credentials. The attacker enumerates jobs via /ajax-api/3.0/jobs/list (also unauthenticated), identifies a model training job that invokes shell commands for data preprocessing, and submits a modified job payload executing a reverse shell. From there they gain persistent RCE on the ML training server, pivot to access training datasets in connected cloud storage (S3/GCS), exfiltrate proprietary model weights, and harvest cloud credentials from the MLflow environment configuration — all from a single unauthenticated HTTP request.
Weaknesses (CWE)
CWE-306 Missing Authentication for Critical Function
Primary
CWE-306 Missing Authentication for Critical Function
Primary
CWE-306 Missing Authentication for Critical Function CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References
Timeline
Scanner Template Available
A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.
View template on GitHubnuclei -t http/cves/2026/CVE-2026-0545.yaml -u https://target.example.com Related Vulnerabilities
CVE-2025-15379 10.0 MLflow: RCE via unsanitized model dependency specs
Same package: mlflow CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same package: mlflow CVE-2026-2635 9.8 mlflow: security flaw enables exploitation
Same package: mlflow CVE-2023-1177 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2023-2780 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow