Nine new CVEs on April 3, 2026, the quietest day this month. MLflow picked up another authentication flaw, its fourth in six weeks. A CVSS 9.3 command injection hit pymetasploit3, the Python wrapper for Metasploit Framework.
| CVE | CVSS | Product | Type |
|---|---|---|---|
| CVE-2026-5463 | 9.3 | pymetasploit3 | Command injection |
| CVE-2026-0545 | 9.1 / 6.5* | MLflow | Unauthenticated access |
| CVE-2026-5472 | 5.3 / 3.3* | School Management System | Unrestricted file upload |
| CVE-2026-5457 | 4.8 | PropertyGuru AgentNet (Android) | Not specified |
| CVE-2026-5456 | 4.8 | My Invisalign (Android) | Not specified |
| CVE-2026-5455 | 4.8 | Dialogue App (Android) | Not specified |
| CVE-2026-5454 | 4.8 | GRID Organiser (Android) | Not specified |
* CVSS scores disputed between sources.
CVE-2026-0545 exposes MLflow's FastAPI job endpoints without authentication. The /ajax-api/3.0/jobs/* routes are unprotected when the basic-auth app is enabled. CVSS scores are disputed between sources. The AnonHaven pipeline assigns 9.1, while CVEFeed lists 6.5.
Databricks created MLflow as an open-source ML lifecycle platform. The Linux Foundation adopted it in 2024. MLflow handles experiment tracking, model versioning, deployment, and registry.
The platform is widely deployed across data science and ML engineering teams. The exposed job endpoints manage scheduling and execution, making unauthenticated access a potentially critical issue depending on what actions the API permits.
This is not an isolated bug. Three confirmed critical MLflow vulnerabilities have been published since February 20, 2026. Each one targets a different part of the platform, but the root cause is the same. Input validation and access control have not kept pace with MLflow's expanding API surface.
February 20 brought CVE-2026-2635 (CVSS 9.8), a default password bypass in basic_auth.ini allowing unauthenticated RCE as administrator. CVE-2025-15379 (CVSS 10.0, March 30) was command injection in model serving container initialisation via python_env.yaml. CVE-2026-0596 (CVSS 9.6, March 31) was command injection via unsanitised model_uri when serving models with enable_mlserver=True. Four flaws in six weeks, all targeting different surfaces of the same platform.
Four authentication and input validation flaws in six weeks across the same ML platform. CVSS 10.0, 9.8, 9.6, and now a disputed 9.1 or 6.5. MLflow's security architecture has not kept pace with its feature growth. Organisations treating MLflow as internal infrastructure that does not need hardening are running unauthenticated RCE surfaces on their ML pipelines.
— Artem Safonov, Threat Analyst at AnonHaven
CVE-2026-5463 (CVSS 9.3) is command injection in console.run_module_with_output() in pymetasploit3. The library lets penetration testers automate Metasploit operations from Python, covering scanning, exploitation, and post-exploitation workflows. Versions prior to 1.0.6 are vulnerable. A CVSS 9.3 command injection in a security testing tool's core execution function.
Module parameters derived from external input are the attack vector. A shared configuration file or a pipeline accepting user-supplied values can give an attacker arbitrary command execution on the machine running the automation. Pentesters using pymetasploit3 in automated pipelines should update to 1.0.6 immediately.
pymetasploit3 runs on the same machines that have access to target networks and testing credentials. A command injection in its module execution path gives an attacker the keys to the pentester's own environment. Update to 1.0.6 and audit any workflows where module parameters come from external input.
— Artem Safonov, Threat Analyst at AnonHaven
Five lower-severity CVEs round out the day. CVE-2026-5472 (CVSS disputed, 5.3 or 3.3) is an unrestricted file upload in ProjectsAndPrograms School Management System via /admin_panel/settings.php.
Four Android app vulnerabilities at CVSS 4.8 each were published the same day with similar descriptions. CVE-2026-5457 (PropertyGuru AgentNet prior to v23.7.10), CVE-2026-5456 (Align Technology My Invisalign v3.12.4), CVE-2026-5455 (Dialogue App prior to v4.3.2), and CVE-2026-5454 (GRID Organiser prior to v1.0.5). None pose a critical threat.
MLflow users should audit deployment configurations and restrict network access to all endpoints. Ensure basic-auth is properly configured and that job API routes are not exposed to untrusted networks. Pentesters using pymetasploit3 should update to version 1.0.6 immediately.
The previous day's digest covered 165 CVEs including a ShareFile pre-auth RCE chain and FastMCP CVSS 10.0. April 3 dropped to nine, but the MLflow pattern carries more signal than a single day's volume.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
