Authentication Bypass in Backpropagate Training Control UI
CVE-2026-48797

9.3CRITICAL

Key Information:

Vendor: Mcp-tool-shop-org
Status: Backpropagate; @mcptoolshop/backpropagate
Vendor: CVE Published:; 16 June 2026

🔔 Create Mcp-tool-shop-org Vulnerability Alert

What is CVE-2026-48797?

The Backpropagate library, utilized for fine-tuning large language models, suffers from an authentication bypass in its Reflex web UI as of versions 1.1.0 and 1.1.1. This vulnerability allows unauthenticated access to critical features such as dataset uploads and model executions. Despite the presence of CLI options intended to enforce authentication, the Reflex backend does not properly implement these security controls, permitting unauthorized users full UI access to interact with sensitive training data. This flaw can lead to unauthorized training runs and potential denial of service through disk space exhaustion. Affected users are encouraged to upgrade to version 1.2.0 to mitigate this risk.

Affected Version(s)

@mcptoolshop/backpropagate >= 1.1.0, < 1.2.0

backpropagate >= 1.1.0, < 1.2.0

References

https://github.com/mcp-tool-shop-org/backpropagate/securi...

x_refsource_CONFIRM

https://github.com/mcp-tool-shop-org/backpropagate/releas...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48797 Data

JSON