External risk intelligence

MLflow Unauthenticated Job Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-0545

MLflow is frequently deployed as a centralized web service or API platform to manage machine learning lifecycles. Given that these services are often exposed to teams or networks to facilitate collaboration, endpoints related to job execution are often reachable within the environment where the MLflow server is hosted, making them commonly accessible network services.

Missing Authentication

Lfprojects Mlflow

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in MLflow's job execution endpoints, allowing unauthenticated access to submit, read, search, and cancel jobs. This can lead to remote code execution or denial of service if job execution is enabled and certain job functions are permitted. Even without code execution, it represents a significant authentication bypass.

  • Unprotected MLflow jobs allow unauthorized remote control.
  • Leadership should remember this as a critical system access flaw.
  • Confirm MLflow job execution relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach and trigger this vulnerability by sending unauthenticated requests to the MLflow job endpoints if job execution is enabled and the `basic-auth` application is active. This bypasses authentication, allowing the attacker to submit, view, search, or cancel jobs. If a job performs sensitive actions, this could lead to remote code execution. Even without code execution, an attacker could cause denial of service or expose data through job results.

  • Network access to MLflow job endpoints.
  • Unauthenticated requests to job API endpoints.
  • Unauthenticated remote code execution or DoS.

Live Threat

Current exploitation, exposure, and threat context

When job execution is enabled and specific job functions are allowlisted, unauthenticated network clients can bypass basic authentication to submit, read, search, and cancel jobs. This could lead to unauthenticated remote code execution if allowed jobs perform privileged actions, or authentication bypass for job spam, denial of service, or data exposure in job results.

  • Job execution control and associated data.
  • Unauthenticated network access to job endpoints.
  • Remote code execution or denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts MLflow job execution endpoints when basic authentication is enabled. Teams responsible for MLflow deployments, application owners, and infrastructure teams should prioritize identifying all instances of MLflow, assessing their exposure and criticality, and confirming ownership. The first practical step is to locate MLflow installations, determine if job execution is active and if allowlisted jobs present risks, and then plan remediation based on the identified risk level.

  • Application and infrastructure teams own the issue.
  • Verify MLflow job execution and network exposure.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MLflow?

MLflow is an open-source platform managed by the Linux Foundation Projects (lfprojects) used for managing the machine learning lifecycle. It provides tools to track experiments, package code into reproducible runs, and share models. Teams typically use it as a centralized web service to collaborate on data science projects, which is why it often includes APIs for automating tasks like running training jobs or managing model deployment workflows across an organization.

What does CWE-306 mean for CVE-2026-0545?

CWE-306 refers to a 'Missing Authentication for Critical Function' weakness. In the context of CVE-2026-0545, it means that even when the software's basic-auth mechanism is turned on, the specific API endpoints responsible for job management do not require users to prove their identity. Because the system fails to check for credentials before allowing commands, an unauthorized user can interact with these critical functions as if they were an administrator.

How is this vulnerability triggered?

An attacker triggers this by sending unauthenticated network requests directly to the affected job API endpoints. Crucially, the vulnerability only exists when the MLflow server is configured with the 'basic-auth' app enabled and the MLFLOW_SERVER_ENABLE_JOB_EXECUTION environment variable set to true. If job execution is disabled, or if the server is not configured to use basic-auth in the first place, this specific bypass path is not active.

Is my MLflow instance at risk?

According to Halo Surface Signal, MLflow is often deployed as a web service to facilitate team collaboration, which frequently results in it being reachable across internal networks or even exposed to the public internet. If your instance is reachable over the network and has job execution enabled, it is potentially accessible to any client. You should check if your deployment environment allows these job endpoints to be reached by untrusted users or systems.

What should I do first to secure my deployment?

Start by identifying all MLflow installations in your infrastructure to determine which ones have job execution enabled. Once you have a list, verify the current configuration for each instance to see if the basic-auth app is active. If both are enabled, assess the allowlisted jobs to understand what actions they perform. Prioritize restricting network access to these endpoints until you can confirm the deployment's specific risk and apply recommended security updates.

References