Skip to content
Threat Feed
critical advisory

Unauthenticated Access to backpropagate UI via Authentication Bypass (CVE-2026-48797)

An authentication bypass vulnerability in `backpropagate` versions >= 1.1.0 and < 1.2.0 allows unauthenticated attackers to gain full control over the Reflex web UI, even when HTTP Basic authentication is ostensibly enabled via the `--auth` flag, permitting data exfiltration, arbitrary training runs, HuggingFace Hub push, disk-fill DoS, and sensitive path discovery.

A critical authentication bypass vulnerability, tracked as CVE-2026-48797, exists in the backpropagate machine learning operations tool (versions >= 1.1.0 and < 1.2.0), specifically affecting its optional Reflex web UI. Despite documented command-line flags --auth user:pass and --share intended to enforce HTTP Basic authentication and control public exposure, the Reflex backend fails to implement any authentication middleware. This oversight means any attacker able to reach the UI's bound port, whether locally or remotely, gains full administrative control without credentials. This flaw enables attackers to read sensitive uploaded datasets, initiate arbitrary model training, push tampered models to HuggingFace Hub accounts, and trigger denial-of-service through uncontrolled file uploads, posing significant data exfiltration and supply-chain compromise risks. The vulnerability was discovered by an internal audit on May 22, 2026, and patched in version 1.2.0.

Attack Chain

  1. Reconnaissance & Initial Access: An attacker identifies a running backpropagate Reflex UI instance (version >= 1.1.0, < 1.2.0) bound to a network accessible port. This may be localhost (default) or a public address if the legitimate operator used the --share flag.
  2. Authentication Bypass: The attacker accesses the UI's HTTP endpoint without providing any credentials, as the documented --auth flag does not enforce authentication.
  3. Information Disclosure: The attacker navigates the UI to view uploaded datasets (e.g., JSONL/CSV/TXT files) and extracts sensitive information used for fine-tuning.
  4. Discovery: The attacker can read source_model_path, dataset_path, model, and uploaded_path values from the UI, bypassing safe_path() helpers and potentially revealing internal file system structure.
  5. Arbitrary Execution: The attacker triggers arbitrary training runs against any locally installed base model or models downloadable from HuggingFace, potentially leading to remote code execution or resource exhaustion.
  6. Supply Chain Compromise: The attacker initiates HuggingFace Hub pushes to repositories specified via the UI, potentially pushing malicious or tampered model weights to the operator's account.
  7. Denial of Service: The attacker exploits the rx.upload endpoint, which lacks size, extension, or count caps, to upload large files and exhaust disk space, causing a denial of service.

Impact

This critical vulnerability enables a range of severe consequences. Attackers can exfiltrate sensitive uploaded datasets, such as proprietary training data, client information, or other confidential records. They can also initiate arbitrary model training, potentially leading to resource abuse or arbitrary code execution within the victim's environment. The ability to trigger HuggingFace Hub pushes poses a significant supply-chain risk, allowing attackers to inject malicious or tampered models into the victim's publicly hosted repositories. Furthermore, uncontrolled file uploads via the rx.upload endpoint can lead to disk-fill denial-of-service attacks, disrupting critical ML operations. The impact extends to all users running vulnerable versions of backpropagate who either expose the UI publicly or have local attackers.

Recommendation

  • Immediately upgrade backpropagate to version 1.2.0 or higher by running pip install --upgrade backpropagate to patch CVE-2026-48797.
  • If immediate upgrade is not possible, do NOT use the --auth or --share flags with backprop ui as they are ineffective.
  • For remote access, use SSH port-forwarding (as described in the brief) to secure access to the backpropagate UI, leveraging SSH's authentication mechanisms.
  • Audit existing backpropagate deployments for any instances launched with --share prior to May 23, 2026, as these instances were openly accessible.
  • Re-issue HuggingFace API tokens that were in use on systems running vulnerable backpropagate UI instances exposed with --share due to potential compromise of push targets.
  • Review webserver access logs for the backpropagate UI for suspicious unauthenticated access to sensitive endpoints like /rx.upload or data preview pages if proxying the UI through a webserver.

Indicators of compromise

2

domain

1

url

TypeValue
urlhttps://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23
domaingithub.com
domainhuggingface.co