CVE-2026-0545 Overview
CVE-2026-0545 is a critical authentication bypass vulnerability in MLflow, an open-source platform for managing the machine learning lifecycle. The vulnerability exists in the FastAPI job endpoints under /ajax-api/3.0/jobs/*, which are not protected by authentication or authorization even when the basic-auth application is enabled. This flaw allows unauthenticated network clients to submit, read, search, and cancel jobs without credentials, completely bypassing basic-auth protections.
Critical Impact
When job execution is enabled and job functions are allowlisted, this vulnerability can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even when jobs are considered safe, attackers can exploit this flaw for job spam, denial of service, or data exposure through job results.
Affected Products
- MLflow (mlflow/mlflow) - latest versions with MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true
- MLflow deployments with basic-auth app enabled and allowlisted job functions
Discovery Timeline
- 2026-04-03 - CVE-2026-0545 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-0545
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The core issue stems from the FastAPI job endpoints being implemented without authentication middleware when the basic-auth app is enabled on the MLflow server. This represents a fundamental design oversight where the job execution API surface was not integrated with the existing authentication framework.
The vulnerability requires two conditions to be exploitable: the environment variable MLFLOW_SERVER_ENABLE_JOB_EXECUTION must be set to true, and at least one job function must be allowlisted. When these conditions are met, the attack surface becomes significant as any network-accessible client can interact with the job endpoints without presenting valid credentials.
Root Cause
The root cause is a missing authentication check on the FastAPI job endpoints. While the MLflow basic-auth app provides authentication for most API routes, the job-related endpoints under /ajax-api/3.0/jobs/* were not properly wrapped with authentication middleware. This creates an authentication bypass where protected functionality remains accessible to unauthenticated users.
Attack Vector
The attack vector is network-based with low complexity requirements. An attacker with network access to the MLflow server can directly send HTTP requests to the unprotected job endpoints. The exploitation does not require any privileges or user interaction. Attackers can:
- Submit malicious job requests to execute arbitrary code if privileged job functions are allowlisted
- Search and read existing job data, potentially exposing sensitive information in job results
- Cancel legitimate jobs, causing denial of service
- Spam the job queue with requests to exhaust server resources
The vulnerability has been documented through the Huntr bug bounty platform. For detailed technical analysis and proof-of-concept information, refer to the Huntr Bounty Details.
Detection Methods for CVE-2026-0545
Indicators of Compromise
- Unusual HTTP requests to /ajax-api/3.0/jobs/* endpoints without valid authentication headers
- Unexpected job submissions in MLflow logs from unrecognized sources or IP addresses
- Anomalous job cancellation events affecting legitimate workflow operations
- Increased job queue activity without corresponding authenticated user sessions
Detection Strategies
- Monitor web server access logs for requests to /ajax-api/3.0/jobs/* endpoints that lack authentication headers
- Implement network-level monitoring for connections to MLflow server ports from unauthorized IP ranges
- Review MLflow application logs for job submissions that do not correlate with authenticated sessions
- Deploy web application firewall (WAF) rules to flag or block suspicious requests to job endpoints
Monitoring Recommendations
- Enable verbose logging on the MLflow server to capture all job-related API activity
- Establish baseline metrics for normal job submission rates and alert on anomalies
- Implement network segmentation to restrict direct access to MLflow server endpoints from untrusted networks
- Regularly audit the MLFLOW_SERVER_ENABLE_JOB_EXECUTION configuration and job function allowlists
How to Mitigate CVE-2026-0545
Immediate Actions Required
- Disable job execution by setting MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false until a patch is available
- Review and minimize the job function allowlist to remove any privileged or dangerous functions
- Implement network-level access controls to restrict access to MLflow server endpoints
- Deploy reverse proxy or WAF rules to enforce authentication on /ajax-api/3.0/jobs/* routes
Patch Information
At the time of publication, users should monitor the MLflow GitHub repository and security advisories for an official patch. Refer to the Huntr Bounty Details for updates on remediation status.
Workarounds
- Disable job execution functionality by setting the environment variable MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false
- Deploy MLflow behind a reverse proxy (nginx, Apache, or similar) that enforces authentication for all routes including job endpoints
- Restrict network access to the MLflow server using firewall rules to allow only trusted IP addresses
- Remove all entries from the job function allowlist to prevent any job execution
# Disable job execution to mitigate the vulnerability
export MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false
# Example nginx configuration to enforce authentication on job endpoints
# location /ajax-api/3.0/jobs/ {
# auth_basic "Restricted Access";
# auth_basic_user_file /etc/nginx/.htpasswd;
# proxy_pass http://mlflow-server;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
