{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mcp-tool-shop-org/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48797"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["backpropagate (\u003e= 1.1.0, \u003c 1.2.0)","@mcptoolshop/backpropagate (\u003e= 1.1.0, \u003c 1.2.0)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","critical-vulnerability","supply-chain","data-exfiltration","denial-of-service","web-ui","machine-learning","reflex"],"_cs_type":"advisory","_cs_vendors":["mcp-tool-shop-org"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, tracked as CVE-2026-48797, exists in the \u003ccode\u003ebackpropagate\u003c/code\u003e machine learning operations tool (versions \u0026gt;= 1.1.0 and \u0026lt; 1.2.0), specifically affecting its optional Reflex web UI. Despite documented command-line flags \u003ccode\u003e--auth user:pass\u003c/code\u003e and \u003ccode\u003e--share\u003c/code\u003e intended to enforce HTTP Basic authentication and control public exposure, the Reflex backend fails to implement any authentication middleware. This oversight means any attacker able to reach the UI's bound port, whether locally or remotely, gains full administrative control without credentials. This flaw enables attackers to read sensitive uploaded datasets, initiate arbitrary model training, push tampered models to HuggingFace Hub accounts, and trigger denial-of-service through uncontrolled file uploads, posing significant data exfiltration and supply-chain compromise risks. The vulnerability was discovered by an internal audit on May 22, 2026, and patched in version 1.2.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Initial Access\u003c/strong\u003e: An attacker identifies a running \u003ccode\u003ebackpropagate\u003c/code\u003e Reflex UI instance (version \u0026gt;= 1.1.0, \u0026lt; 1.2.0) bound to a network accessible port. This may be \u003ccode\u003elocalhost\u003c/code\u003e (default) or a public address if the legitimate operator used the \u003ccode\u003e--share\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass\u003c/strong\u003e: The attacker accesses the UI's HTTP endpoint without providing any credentials, as the documented \u003ccode\u003e--auth\u003c/code\u003e flag does not enforce authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e: The attacker navigates the UI to view uploaded datasets (e.g., JSONL/CSV/TXT files) and extracts sensitive information used for fine-tuning.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery\u003c/strong\u003e: The attacker can read \u003ccode\u003esource_model_path\u003c/code\u003e, \u003ccode\u003edataset_path\u003c/code\u003e, \u003ccode\u003emodel\u003c/code\u003e, and \u003ccode\u003euploaded_path\u003c/code\u003e values from the UI, bypassing \u003ccode\u003esafe_path()\u003c/code\u003e helpers and potentially revealing internal file system structure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Execution\u003c/strong\u003e: The attacker triggers arbitrary training runs against any locally installed base model or models downloadable from HuggingFace, potentially leading to remote code execution or resource exhaustion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Compromise\u003c/strong\u003e: The attacker initiates HuggingFace Hub pushes to repositories specified via the UI, potentially pushing malicious or tampered model weights to the operator's account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The attacker exploits the \u003ccode\u003erx.upload\u003c/code\u003e endpoint, which lacks size, extension, or count caps, to upload large files and exhaust disk space, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis critical vulnerability enables a range of severe consequences. Attackers can exfiltrate sensitive uploaded datasets, such as proprietary training data, client information, or other confidential records. They can also initiate arbitrary model training, potentially leading to resource abuse or arbitrary code execution within the victim's environment. The ability to trigger HuggingFace Hub pushes poses a significant supply-chain risk, allowing attackers to inject malicious or tampered models into the victim's publicly hosted repositories. Furthermore, uncontrolled file uploads via the \u003ccode\u003erx.upload\u003c/code\u003e endpoint can lead to disk-fill denial-of-service attacks, disrupting critical ML operations. The impact extends to all users running vulnerable versions of \u003ccode\u003ebackpropagate\u003c/code\u003e who either expose the UI publicly or have local attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade \u003ccode\u003ebackpropagate\u003c/code\u003e to version 1.2.0 or higher by running \u003ccode\u003epip install --upgrade backpropagate\u003c/code\u003e to patch CVE-2026-48797.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, do NOT use the \u003ccode\u003e--auth\u003c/code\u003e or \u003ccode\u003e--share\u003c/code\u003e flags with \u003ccode\u003ebackprop ui\u003c/code\u003e as they are ineffective.\u003c/li\u003e\n\u003cli\u003eFor remote access, use SSH port-forwarding (as described in the brief) to secure access to the \u003ccode\u003ebackpropagate\u003c/code\u003e UI, leveraging SSH's authentication mechanisms.\u003c/li\u003e\n\u003cli\u003eAudit existing \u003ccode\u003ebackpropagate\u003c/code\u003e deployments for any instances launched with \u003ccode\u003e--share\u003c/code\u003e prior to May 23, 2026, as these instances were openly accessible.\u003c/li\u003e\n\u003cli\u003eRe-issue HuggingFace API tokens that were in use on systems running vulnerable \u003ccode\u003ebackpropagate\u003c/code\u003e UI instances exposed with \u003ccode\u003e--share\u003c/code\u003e due to potential compromise of push targets.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs for the \u003ccode\u003ebackpropagate\u003c/code\u003e UI for suspicious unauthenticated access to sensitive endpoints like \u003ccode\u003e/rx.upload\u003c/code\u003e or data preview pages if proxying the UI through a webserver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:32:41Z","date_published":"2026-07-03T10:32:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-backpropagate-auth-bypass/","summary":"An authentication bypass vulnerability in `backpropagate` versions \u003e= 1.1.0 and \u003c 1.2.0 allows unauthenticated attackers to gain full control over the Reflex web UI, even when HTTP Basic authentication is ostensibly enabled via the `--auth` flag, permitting data exfiltration, arbitrary training runs, HuggingFace Hub push, disk-fill DoS, and sensitive path discovery.","title":"Unauthenticated Access to backpropagate UI via Authentication Bypass (CVE-2026-48797)","url":"https://feed.craftedsignal.io/briefs/2026-07-backpropagate-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Mcp-Tool-Shop-Org","version":"https://jsonfeed.org/version/1.1"}