Description
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
Published: 2026-04-03
Score: 9.8 Critical
EPSS: 11.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because FastAPI job endpoints under "/ajax-api/3.0/jobs/*" are unprotected when the basic-auth app is enabled. Attackers can submit, read, search, and cancel jobs without credentials, bypassing basic‑auth. If allowed job functions perform privileged actions such as shell execution or filesystem changes, the attacker can achieve unauthenticated remote code execution. Even if jobs are deemed safe, the authentication bypass permits job spam, denial of service, or exposure of job results.

Affected Systems

All MLflow installations that enable job execution (MLFLOW_SERVER_ENABLE_JOB_EXECUTION set to true), have basic‑auth enabled, and are running the latest repository version. Because specific version ranges are not supplied, any current release is considered at risk.

Risk and Exploitability

The CVSS score of 9.8 classifies the vulnerability as critical. The EPSS score of 11% indicates a relatively high likelihood of exploitation. Even though the vulnerability is not listed in CISA KEV, the risk remains significant. Attackers can use the documented endpoints without credentials, potentially achieving remote code execution or other disruptive activities across the entire system.

Generated by OpenCVE AI on June 1, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable job execution by setting MLFLOW_SERVER_ENABLE_JOB_EXECUTION to false
  • Restrict the job allowlist to only trusted functions, removing any that perform privileged actions
  • Ensure basic authentication is not simultaneously enabled with job execution unless proper authorization controls are in place

Generated by OpenCVE AI on June 1, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7qhf-v65m-g5f3 mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
History

Tue, 21 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Vendors & Products Mlflow
Mlflow mlflow

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
Title Missing Authentication for Critical Function in mlflow/mlflow
Weaknesses CWE-306
References
Metrics cvssV3_0

{'score': 9.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-03T17:49:22.749Z

Reserved: 2026-01-01T09:52:49.217Z

Link: CVE-2026-0545

cve-icon Vulnrichment

Updated: 2026-04-03T17:49:13.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T18:16:21.540

Modified: 2026-04-21T01:45:33.033

Link: CVE-2026-0545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T14:45:26Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function