Home / Vulnerability Intelligence / CVE-2026-0545

CVE-2026-0545 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 3, 2026

mlflow/mlflow - Authentication Bypass

Published: April 3, 2026Updated: April 3, 2026Remote Exploitable

Overview

mlflow/mlflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 20.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute jobs remotely, potentially leading to remote code execution, denial of service, or data exposure.

Mitigation

Update to the latest version with fixed authentication enforcement on job endpoints.

References

https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 4, 2026

🔴 CVE-2026-0545 - Critical (9.1) In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution i... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0545/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-0545
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: new
EPSS: 20.0%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

20.0%Probability of exploitation in the next 30 days