{"data":{"id":"c169107e-ad26-4193-92ad-5ddd68a07ab2","title":"CVE-2026-0545: In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authoriz","summary":"MLflow (an open-source machine learning platform) has a vulnerability where certain API endpoints under `/ajax-api/3.0/jobs/*` skip authentication checks (verification of who you are) even when basic-auth protection is enabled. If job execution is turned on, attackers can submit, run, read, and cancel jobs without logging in, potentially leading to remote code execution (running malicious commands on the server) or causing denial of service attacks (making the system unavailable).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-0545","publishedAt":"2026-04-03T18:16:21.540Z","cveId":"CVE-2026-0545","cweIds":["CWE-306"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-03T18:16:21.540Z","capecIds":["CAPEC-115"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}