CVE-2026-0545 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 3, 2026
mlflow/mlflow - Authentication Bypass
Published: April 3, 2026Updated: April 3, 2026Remote Exploitable
Overview
mlflow/mlflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Unauthenticated attackers can execute jobs remotely, potentially leading to remote code execution, denial of service, or data exposure.
Mitigation
Update to the latest version with fixed authentication enforcement on job endpoints.
Related Resources
Details
- CVE ID
- CVE-2026-0545
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
CWE
- CWE-306
CVSS Metrics
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N