MLflow job APIs bypass basic-auth, enabling unauthenticated code execution
TL;DR — MLflow’s FastAPI job endpoints under /ajax-api/3.0/jobs/* can bypass basic-auth, letting unauthenticated clients submit and control jobs and potentially reach unauthenticated server-side code execution.
What happened
MLflow is an open-source MLOps platform commonly deployed as an HTTP service for experiment tracking and related workflows.
CVE-2026-0545 describes a missing authentication/authorization issue affecting MLflow’s FastAPI job endpoints under /ajax-api/3.0/jobs/* when the basic-auth app is enabled: the endpoints are not protected by authentication or authorization, allowing any network client to submit, read, search, and cancel jobs without credentials.
The CVE record further notes that if job execution is enabled (MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true) and any job function is allowlisted, this exposure can lead to unauthenticated remote code execution when allowlisted jobs perform privileged actions (e.g., shell execution or filesystem changes). Even if jobs are “safe,” the issue still constitutes an auth bypass that can enable job spam/DoS or data exposure via job results.
This is a high-signal pattern for platform teams: “optional auth mode” integrations often leave new/auxiliary API surfaces uncovered, and job execution APIs are typically high-privilege control planes that should be treated as production-critical.
Who is impacted
- Deployments of
mlflow/mlflowwhere thebasic-authapp is enabled. - Any environment exposing
/ajax-api/3.0/jobs/*to untrusted networks. - Highest risk deployments are those with job execution enabled (
MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true) and allowlisted job functions.
| Component | Affected versions (per CVE record) | Fixed version referenced by source |
|---|---|---|
mlflow/mlflow | <= latest ("latest version of the repository") | Not specified |
What to do now
- Follow upstream MLflow remediation guidance and apply the latest patched release available at the time of writing (the CVE record does not enumerate a fixed version).
- Treat
/ajax-api/3.0/jobs/*as an exposed control-plane surface: ensure it is not reachable from untrusted networks (e.g., restrict ingress, segment networks, or place behind an authenticated gateway). - Review whether job execution is enabled (
MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true) and whether any job functions are allowlisted; disable or reduce exposure where feasible until a confirmed patch is deployed. - If compromise is suspected, review service logs for unauthenticated access patterns to
/ajax-api/3.0/jobs/*, and rotate credentials/tokens accessible to the MLflow server process and any downstream systems it can reach.
Additional Information
- Reference linked in the CVE record:
https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.