Missing Authentication for Critical Function in mlflow/mlflow

Description

A vulnerability, which was classified as critical, was found in MLflow up to 3.0. This vulnerability affects unknown code of the component FastAPI Job Endpoint. The manipulation results in missing authentication. This vulnerability is reported as CVE-2026-0545. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

Affected Products

Vendor	Product	Versions
mlflow	mlflow/mlflow	unspecified, 3.0

References

https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-0545 | MLflow up to 3.0 FastAPI Job Endpoint missing authentication

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-306

PublishedApr 3, 2026

Last enriched3h agov2

Trending Score47

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated affected versions to include 3.0 and corrected exploit availability to false.

descriptionaffectedVersions

via VulDB

v14h ago

Initial creation