How is CVE-2026-48797 exploited?

Network reachability (required): The attacker must reach the Reflex UI's bound port over the network; if --share is active, that port is exposed on a public address. Authentication (not-required): No credentials are checked at any point: the backend never reads the exported auth variable, so any client that reaches the port has full access. Victim interaction (not-required): No user action or social engineering is needed; the attacker interacts directly with the exposed service. Attack complexity (info): Exploitation is straightforward and condition-free: no race conditions, memory layout dependencies, or environmental factors must be satisfied.

What is the impact of CVE-2026-48797?

Reads all uploaded training datasets and the filesystem paths of any local base models loaded into the UI. Triggers arbitrary training runs against local base models, consuming GPU and compute resources without operator approval. Initiates HuggingFace Hub pushes, causing fine-tuned model weights to be uploaded to attacker-chosen Hub destinations. Causes disk-fill denial of service by repeatedly triggering training runs or GGUF exports until storage is exhausted.

Back to search

CRITICALCVE-2026-48797Published 2026-06-16Modified 2026-06-16CNA GitHub_M

CVE-2026-48797: Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication

Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:pass — documented as "require HTTP Basic authentication on every request to the UI." and--share — documented as "expose the UI on a public address; requires --auth." When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0. If developers cannot immediately upgrade to 1.2.0 run backprop ui with no flags so it binds to localhost, use SSH port-forwarding (ssh -L 7860:localhost:7860 <training-host>) instead of --share for remote access, and audit any host previously launched with --share, re-issuing any HF tokens used during those sessions.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

Authentication bypass in Backpropagate versions 1.1.0 and 1.1.1 leaves the optional Reflex web UI completely unprotected despite the --auth and --share flags being documented as security controls. The flaw is reachable over the network with no credentials required: the CLI exports the auth credential to an environment variable that the backend never reads, so no authentication middleware or request guard is ever registered. A successful attacker gains full control of the training control plane, including reading uploaded datasets, triggering model training and HuggingFace Hub pushes, and causing a disk-fill denial of service. A patched-image rebuild at version 1.2.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the backpropagate library directly. Any image layer containing backpropagate 1.1.0 or 1.1.1 is flagged automatically during both registry scans and active pipeline builds.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL (CVSS v4.0) and surfaces it with that severity weighting in each customer environment, adjusted further by any per-environment compliance policy the customer has configured. Triage alerts are routed to the team or inbox designated by the customer's policy, ensuring the right engineers see the finding without manual filtering.

Available

Patch

Because no fix version was published at the time of initial ingestion, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild at version 1.2.0 available the moment upstream confirms the release. For customers who opt into auto-remediation, that rebuild triggers a regression-test run and a PR opened against affected workloads automatically, without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Reflex UI's bound port over the network; if --share is active, that port is exposed on a public address.
AuthenticationNot required
No credentials are checked at any point: the backend never reads the exported auth variable, so any client that reaches the port has full access.
Victim interactionNot required
No user action or social engineering is needed; the attacker interacts directly with the exposed service.
Attack complexityDetail
Exploitation is straightforward and condition-free: no race conditions, memory layout dependencies, or environmental factors must be satisfied.

Blast Radius

Reads all uploaded training datasets and the filesystem paths of any local base models loaded into the UI.
Triggers arbitrary training runs against local base models, consuming GPU and compute resources without operator approval.
Initiates HuggingFace Hub pushes, causing fine-tuned model weights to be uploaded to attacker-chosen Hub destinations.
Causes disk-fill denial of service by repeatedly triggering training runs or GGUF exports until storage is exhausted.

How HarborGuard Handles This

Available on HarborGuard: any image containing backpropagate 1.1.0 or 1.1.1 is flagged at CRITICAL severity within minutes of the advisory being ingested. Because this CVE carries no upstream fix at initial publication, HarborGuard monitors the advisory on every ingest cycle and will surface the version 1.2.0 patched rebuild automatically once upstream confirms availability. For customers who opt into auto-remediation, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to block external access to the Reflex UI port, egress filtering to prevent unauthorized HuggingFace Hub pushes, and disabling the --share flag at the operator level so the UI is bound only to localhost. Customers whose compliance policy requires manual sign-off before remediation will receive the finding in their designated triage inbox for review.

See how HarborGuard automates this

Affected packages

mcp-tool-shop-org / backpropagate
>= 1.1.0, < 1.2.0
mcp-tool-shop-org / @mcptoolshop/backpropagate
>= 1.1.0, < 1.2.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified