Horizon Alert
Summary of the vulnerability and why it matters
A critical vulnerability has been identified in MLflow's job execution endpoints, allowing unauthenticated access to submit, read, search, and cancel jobs. This can lead to remote code execution or denial of service if job execution is enabled and certain job functions are permitted. Even without code execution, it represents a significant authentication bypass.
- Unprotected MLflow jobs allow unauthorized remote control.
- Leadership should remember this as a critical system access flaw.
- Confirm MLflow job execution relevance and exposure.
Attack Path
How an attacker could exploit the issue
An attacker could reach and trigger this vulnerability by sending unauthenticated requests to the MLflow job endpoints if job execution is enabled and the `basic-auth` application is active. This bypasses authentication, allowing the attacker to submit, view, search, or cancel jobs. If a job performs sensitive actions, this could lead to remote code execution. Even without code execution, an attacker could cause denial of service or expose data through job results.
- Network access to MLflow job endpoints.
- Unauthenticated requests to job API endpoints.
- Unauthenticated remote code execution or DoS.
Live Threat
Current exploitation, exposure, and threat context
When job execution is enabled and specific job functions are allowlisted, unauthenticated network clients can bypass basic authentication to submit, read, search, and cancel jobs. This could lead to unauthenticated remote code execution if allowed jobs perform privileged actions, or authentication bypass for job spam, denial of service, or data exposure in job results.
- Job execution control and associated data.
- Unauthenticated network access to job endpoints.
- Remote code execution or denial of service.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability impacts MLflow job execution endpoints when basic authentication is enabled. Teams responsible for MLflow deployments, application owners, and infrastructure teams should prioritize identifying all instances of MLflow, assessing their exposure and criticality, and confirming ownership. The first practical step is to locate MLflow installations, determine if job execution is active and if allowlisted jobs present risks, and then plan remediation based on the identified risk level.
- Application and infrastructure teams own the issue.
- Verify MLflow job execution and network exposure.
- Plan remediation based on identified risk.