<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mcp-Tool-Shop-Org - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/mcp-tool-shop-org/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 10:32:41 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/mcp-tool-shop-org/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated Access to backpropagate UI via Authentication Bypass (CVE-2026-48797)</title><link>https://feed.craftedsignal.io/briefs/2026-07-backpropagate-auth-bypass/</link><pubDate>Fri, 03 Jul 2026 10:32:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-backpropagate-auth-bypass/</guid><description>An authentication bypass vulnerability in `backpropagate` versions &gt;= 1.1.0 and &lt; 1.2.0 allows unauthenticated attackers to gain full control over the Reflex web UI, even when HTTP Basic authentication is ostensibly enabled via the `--auth` flag, permitting data exfiltration, arbitrary training runs, HuggingFace Hub push, disk-fill DoS, and sensitive path discovery.</description><content:encoded><![CDATA[<p>A critical authentication bypass vulnerability, tracked as CVE-2026-48797, exists in the <code>backpropagate</code> machine learning operations tool (versions &gt;= 1.1.0 and &lt; 1.2.0), specifically affecting its optional Reflex web UI. Despite documented command-line flags <code>--auth user:pass</code> and <code>--share</code> intended to enforce HTTP Basic authentication and control public exposure, the Reflex backend fails to implement any authentication middleware. This oversight means any attacker able to reach the UI's bound port, whether locally or remotely, gains full administrative control without credentials. This flaw enables attackers to read sensitive uploaded datasets, initiate arbitrary model training, push tampered models to HuggingFace Hub accounts, and trigger denial-of-service through uncontrolled file uploads, posing significant data exfiltration and supply-chain compromise risks. The vulnerability was discovered by an internal audit on May 22, 2026, and patched in version 1.2.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Initial Access</strong>: An attacker identifies a running <code>backpropagate</code> Reflex UI instance (version &gt;= 1.1.0, &lt; 1.2.0) bound to a network accessible port. This may be <code>localhost</code> (default) or a public address if the legitimate operator used the <code>--share</code> flag.</li>
<li><strong>Authentication Bypass</strong>: The attacker accesses the UI's HTTP endpoint without providing any credentials, as the documented <code>--auth</code> flag does not enforce authentication.</li>
<li><strong>Information Disclosure</strong>: The attacker navigates the UI to view uploaded datasets (e.g., JSONL/CSV/TXT files) and extracts sensitive information used for fine-tuning.</li>
<li><strong>Discovery</strong>: The attacker can read <code>source_model_path</code>, <code>dataset_path</code>, <code>model</code>, and <code>uploaded_path</code> values from the UI, bypassing <code>safe_path()</code> helpers and potentially revealing internal file system structure.</li>
<li><strong>Arbitrary Execution</strong>: The attacker triggers arbitrary training runs against any locally installed base model or models downloadable from HuggingFace, potentially leading to remote code execution or resource exhaustion.</li>
<li><strong>Supply Chain Compromise</strong>: The attacker initiates HuggingFace Hub pushes to repositories specified via the UI, potentially pushing malicious or tampered model weights to the operator's account.</li>
<li><strong>Denial of Service</strong>: The attacker exploits the <code>rx.upload</code> endpoint, which lacks size, extension, or count caps, to upload large files and exhaust disk space, causing a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This critical vulnerability enables a range of severe consequences. Attackers can exfiltrate sensitive uploaded datasets, such as proprietary training data, client information, or other confidential records. They can also initiate arbitrary model training, potentially leading to resource abuse or arbitrary code execution within the victim's environment. The ability to trigger HuggingFace Hub pushes poses a significant supply-chain risk, allowing attackers to inject malicious or tampered models into the victim's publicly hosted repositories. Furthermore, uncontrolled file uploads via the <code>rx.upload</code> endpoint can lead to disk-fill denial-of-service attacks, disrupting critical ML operations. The impact extends to all users running vulnerable versions of <code>backpropagate</code> who either expose the UI publicly or have local attackers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>backpropagate</code> to version 1.2.0 or higher by running <code>pip install --upgrade backpropagate</code> to patch CVE-2026-48797.</li>
<li>If immediate upgrade is not possible, do NOT use the <code>--auth</code> or <code>--share</code> flags with <code>backprop ui</code> as they are ineffective.</li>
<li>For remote access, use SSH port-forwarding (as described in the brief) to secure access to the <code>backpropagate</code> UI, leveraging SSH's authentication mechanisms.</li>
<li>Audit existing <code>backpropagate</code> deployments for any instances launched with <code>--share</code> prior to May 23, 2026, as these instances were openly accessible.</li>
<li>Re-issue HuggingFace API tokens that were in use on systems running vulnerable <code>backpropagate</code> UI instances exposed with <code>--share</code> due to potential compromise of push targets.</li>
<li>Review webserver access logs for the <code>backpropagate</code> UI for suspicious unauthenticated access to sensitive endpoints like <code>/rx.upload</code> or data preview pages if proxying the UI through a webserver.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>authentication-bypass</category><category>critical-vulnerability</category><category>supply-chain</category><category>data-exfiltration</category><category>denial-of-service</category><category>web-ui</category><category>machine-learning</category><category>reflex</category></item></channel></rss>