In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.
When MLflow server is running with job execution support enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and at least one function is added to the allowlist, any network client can send, read, search, and cancel jobs through unsecured FastAPI endpoints without providing any authentication credentials. The `basic-auth` mechanism is completely bypassed for this group of endpoints, constituting a full authentication bypass. If allowed jobs perform privileged operations — such as system shell calls or file system modifications — an attacker can achieve unauthenticated RCE.
An attacker without any privileges can remotely execute code on the server (RCE), access job results containing sensitive data, overload the system with mass job submissions (DoS), or completely bypass implemented access control based on `basic-auth`.
Patches available from the vendor should be applied according to references. Until the patch is applied, it is recommended to disable job execution (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false`) or restrict network access to the `/ajax-api/3.0/jobs/*` endpoints at the firewall or reverse proxy level.
The latest version of the Lfprojects MLflow repository with configuration where the `MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true` option is enabled and with at least one job function on the allowlist and active `basic-auth` module
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLfprojects Mlflow
APPLfprojectswszystkie wersje
Related vulnerabilities
MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)
MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request
Command injection w MLflow podczas inicjalizacji kontenera modelu
Path traversal w MLflow — nadpisanie plików i eskalacja uprawnień
MLflow: path traversal w ekstrakcji archiwów tar umożliwia RCE