CVE-2022-36551 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2022-36551 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-36551, increasing the risk of exploitation.

Q: How to fix CVE-2022-36551?

1. PATCH: Upgrade to label-studio >= 1.6.0 immediately — this is the only complete fix. 2. DISABLE self-registration if running <1.6.0: set LABEL_STUDIO_DISABLE_SIGNUP_WITHOUT_LINK=1 or restrict via reverse proxy. 3. NETWORK: Place Label Studio behind VPN or IP allowlist; it should never be publicly accessible without authentication. 4. DETECT: Search access logs for Data Import requests containing 'file://', '169.254.169.254', '127.0.0.1', or internal RFC-1918 ranges in URL parameters. 5. ROTATE: If instance was exposed, rotate all credentials stored in config files, environment variables, and connected cloud accounts. 6. AUDIT: Review all Data Import history for suspicious file:// or internal URLs.

Q: What systems are affected by CVE-2022-36551?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data labeling platforms, MLOps infrastructure.

Q: What is the CVSS score for CVE-2022-36551?

CVE-2022-36551 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 9.16%.

CISO Take

Any internet-exposed Label Studio instance running <1.6.0 is trivially exploitable — self-registration is on by default, so an unauthenticated attacker can register, then use the Data Import SSRF to read arbitrary files including credentials, model artifacts, and cloud metadata endpoints. Patch to 1.6.0 immediately and audit access logs for unexpected import requests. If patching is not immediate, disable self-registration and restrict Data Import to trusted users.

Risk Assessment

Effective risk is higher than the CVSS 6.5 Medium suggests. The self-registration default turns this from an authenticated vulnerability into a de facto unauthenticated one for any publicly reachable instance. SSRF + arbitrary file read in an ML annotation platform gives attackers access to training datasets, labeling credentials, cloud provider metadata (AWS IMDS, GCP metadata), and internal network pivoting. EPSS of 0.047 reflects low automated exploitation activity, but the exploit primitive is trivial to reproduce manually.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
label-studio	pip	< 1.6.0	`1.6.0`
27.2K 1 dependents Pushed 8d ago 71% patched ~145d to patch Full package profile →

Do you use label-studio? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

9.2%

chance of exploitation in 30 days

Higher than 93% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH

Upgrade to label-studio >= 1.6.0 immediately — this is the only complete fix.
DISABLE self-registration if running <1.6.0: set LABEL_STUDIO_DISABLE_SIGNUP_WITHOUT_LINK=1 or restrict via reverse proxy.
NETWORK

Place Label Studio behind VPN or IP allowlist; it should never be publicly accessible without authentication.
DETECT

Search access logs for Data Import requests containing 'file://', '169.254.169.254', '127.0.0.1', or internal RFC-1918 ranges in URL parameters.
ROTATE

If instance was exposed, rotate all credentials stored in config files, environment variables, and connected cloud accounts.
AUDIT

Review all Data Import history for suspicious file:// or internal URLs.

Classification

Data Extraction Auth Bypass Data Leakage Training Data Framework AML.T0021 - Establish Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and Data Governance Article 9 - Risk Management System

ISO 42001

A.8.2 - Data Security in AI Lifecycle A.9.2 - Access Control for AI Systems

NIST AI RMF

MANAGE 2.4 - Residual risks and negative impacts are managed MAP 1.5 - Organizational risk tolerance and context

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2022-36551?

Any internet-exposed Label Studio instance running <1.6.0 is trivially exploitable — self-registration is on by default, so an unauthenticated attacker can register, then use the Data Import SSRF to read arbitrary files including credentials, model artifacts, and cloud metadata endpoints. Patch to 1.6.0 immediately and audit access logs for unexpected import requests. If patching is not immediate, disable self-registration and restrict Data Import to trusted users.

Is CVE-2022-36551 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-36551, increasing the risk of exploitation.

How to fix CVE-2022-36551?

1. PATCH: Upgrade to label-studio >= 1.6.0 immediately — this is the only complete fix. 2. DISABLE self-registration if running <1.6.0: set LABEL_STUDIO_DISABLE_SIGNUP_WITHOUT_LINK=1 or restrict via reverse proxy. 3. NETWORK: Place Label Studio behind VPN or IP allowlist; it should never be publicly accessible without authentication. 4. DETECT: Search access logs for Data Import requests containing 'file://', '169.254.169.254', '127.0.0.1', or internal RFC-1918 ranges in URL parameters. 5. ROTATE: If instance was exposed, rotate all credentials stored in config files, environment variables, and connected cloud accounts. 6. AUDIT: Review all Data Import history for suspicious file:// or internal URLs.

What systems are affected by CVE-2022-36551?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data labeling platforms, MLOps infrastructure.

What is the CVSS score for CVE-2022-36551?

CVE-2022-36551 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 9.16%.

Technical Details

NVD Description

A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF. This issue is fixed in version 1.6.0.

Exploitation Scenario

Attacker discovers a Label Studio instance via Shodan/Censys. Self-registration is enabled (default). Attacker registers a free account. Using the Data Import feature, attacker submits a crafted import request pointing to 'file:///etc/passwd' or 'http://169.254.169.254/latest/meta-data/iam/security-credentials/' to harvest AWS instance role credentials. With cloud credentials, attacker pivots to S3 buckets containing training datasets, potentially exfiltrating proprietary labeled data or injecting poisoned samples. If the instance runs with broad IAM permissions (common in ML environments), full cloud account compromise is achievable from a single SSRF request.