CVE-2026-0545: In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authoriz
Summary
MLflow (an open-source machine learning platform) has a vulnerability where certain API endpoints under `/ajax-api/3.0/jobs/*` skip authentication checks (verification of who you are) even when basic-auth protection is enabled. If job execution is turned on, attackers can submit, run, read, and cancel jobs without logging in, potentially leading to remote code execution (running malicious commands on the server) or causing denial of service attacks (making the system unavailable).
Vulnerability Details
EPSS: 0.0%
April 3, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-0545
First tracked: April 3, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 92%