MLflow installations are subject to a critical authentication bypass in job management endpoints, potentially leading to unauthenticated remote code execution and full system compromise.

The /ajax-api/3.0/jobs/* endpoints bypass basic-auth protections. If job execution is enabled, unauthenticated attackers can manage jobs, which may lead to shell execution or unauthorized filesystem access.

This vulnerability could allow an attacker to execute arbitrary code on the MLflow server, steal sensitive machine learning models, or disrupt operations through job spam. The CVSS score of 9.1 reflects the critical risk of unauthenticated access to privileged functions.

Immediate Action: Update MLflow to the latest version. If a patch is unavailable, disable job execution by setting MLFLOW_SERVER_ENABLE_JOB_EXECUTION=false immediately.

Proactive Monitoring: Review MLflow logs for job submissions from unknown IP addresses and monitor the server for unauthorized shell activity.

Compensating Controls: Implement an external authentication proxy or restrict access to the MLflow server using network-level firewalls and VPNs.

Public Exploit Available: false

The potential for unauthenticated remote code execution makes this a critical priority. Organizations must either apply the latest security updates or disable the vulnerable job execution feature until a fix is verified.