CVE-2026-0545: Missing Authentication for Critical Function in mlflow/mlflow
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
Security readout for executives and security teams
Plain-English summary
MLflow job API endpoints can bypass basic authentication when job execution is enabled and jobs are allowlisted. An unauthenticated network client could submit or manage jobs and potentially cause code execution if allowed jobs perform privileged actions.
Executive priority
Treat this as urgent for any network-exposed MLflow service. The business risk is unauthorized job control and possible code execution without credentials, but only in the specific job-execution configuration described by the sources.
Technical view
The `/ajax-api/3.0/jobs/*` FastAPI endpoints lack authentication and authorization under the `basic-auth` app. With `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true` and any allowlisted job function, unauthenticated clients can submit, read, search, and cancel jobs.
Likely exposure
Exposure is most likely where MLflow is reachable over a network, basic-auth is enabled, job execution is enabled, and at least one job function is allowlisted. The source bundle does not specify exact affected release versions.
Exploitation context
The bundle reports no KEV listing and provides no evidence of active exploitation. Exploitability depends on deployment configuration and the behavior of allowlisted jobs; privileged job actions could raise impact to unauthenticated remote code execution.
Researcher notes
The key uncertainty is version scope: the bundle says the latest repository version is affected but lists versions as unspecified. Patch status is not provided, so validation should focus on configuration exposure and vendor advisories.
Mitigation direction
Identify MLflow servers using the basic-auth app with job execution enabled.
Disable job execution where not required, especially on internet- or shared-network instances.
Remove or tightly limit allowlisted job functions pending vendor guidance.
Restrict network access to MLflow servers using trusted administrative paths only.
Check MLflow and Red Hat guidance for fixed versions or official mitigations.
Validation and detection
Inventory MLflow deployments and confirm whether basic-auth is enabled.
Check whether `MLFLOW_SERVER_ENABLE_JOB_EXECUTION` is set to true.
Review configured allowlisted job functions and their privileges.
Verify job endpoints require authentication in the deployed configuration.
Monitor job activity for unauthenticated or unexpected submissions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.