CVE-2026-48797: @mcptoolshop/backpropagate auth

CISO Take

The backpropagate Python library for single-GPU LLM fine-tuning ships a Reflex web UI whose documented --auth flag is entirely non-functional: the CLI prints 'Auth: enabled' to the terminal, but the backend never reads the exported environment variable and registers no authentication middleware — meaning any client that reaches the port has unconditional full access to dataset upload, model loading, training orchestration, GGUF export, and HuggingFace Hub push. The deception is the most dangerous aspect: operators receive affirmative confirmation that security controls are active when they are not, extending the exposure window indefinitely. There is no EPSS score yet (CVE published 2026-06-16) and no active exploitation on record, but sophistication required is zero — a browser or curl is sufficient, and internet exposure is one --share flag away. Upgrade to v1.2.0 immediately; until patched, firewall the Reflex UI port and revoke any HuggingFace tokens used on affected hosts.

Sources: GitHub Advisory ATLAS

What is the risk?

Critical. The auth bypass is a complete null-op — no credential, no token, no skill is required to access the control plane. With --share the attack surface is internet-wide; without it, any LAN attacker, SSRF, or container escape is sufficient. The printed 'Auth: enabled' confirmation actively suppresses operator vigilance, making this a deceptive security failure rather than a simple misconfiguration. The npm MCP package (@mcptoolshop/backpropagate) broadens the attack surface to AI agents that have this tool wired in, where a prompt injection or poisoned tool invocation could trigger unauthorized training runs autonomously.

How does the attack unfold?

Discovery

Attacker scans for open Reflex UI ports and identifies a backpropagate instance exposed via --share; no authentication challenge is presented despite the operator's belief that --auth is enforced.

AML.T0049

Collection

Attacker downloads uploaded fine-tuning datasets via the unauthenticated UI and reads local base model file paths exposed through the model-load interface, enumerating the host filesystem.

AML.T0035

Training Manipulation

Attacker uploads a backdoor-injected dataset replacement and triggers a new training run, causing the victim's GPU to produce a compromised fine-tuned model without the operator's awareness.

AML.T0020

Impact / Propagation

Attacker invokes HuggingFace Hub push to publish the poisoned model under the victim's identity, extending supply-chain compromise to downstream consumers, or saturates disk storage via multi-run orchestration.

AML.T0058

Discovery

Attacker scans for open Reflex UI ports and identifies a backpropagate instance exposed via --share; no authentication challenge is presented despite the operator's belief that --auth is enforced.

AML.T0049

Collection

Attacker downloads uploaded fine-tuning datasets via the unauthenticated UI and reads local base model file paths exposed through the model-load interface, enumerating the host filesystem.

AML.T0035

Training Manipulation

Attacker uploads a backdoor-injected dataset replacement and triggers a new training run, causing the victim's GPU to produce a compromised fine-tuned model without the operator's awareness.

AML.T0020

Impact / Propagation

Attacker invokes HuggingFace Hub push to publish the poisoned model under the victim's identity, extending supply-chain compromise to downstream consumers, or saturates disk storage via multi-run orchestration.

AML.T0058

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
@mcptoolshop/backpropagate	—	—	No patch
backpropagate	—	—	No patch

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade to backpropagate v1.2.0 — the release introduces functional authentication middleware in the Reflex backend.
Until patched, block the Reflex UI port (default 3000/tcp) at the host firewall or network perimeter. Never use --share on untrusted or shared networks.
Rotate any HuggingFace Hub tokens stored on hosts that ran 1.1.0 or 1.1.1 with the UI active.
Audit HuggingFace Hub for unexpected model pushes from your account.
Inspect training job logs and disk usage for runs not initiated by your team.
If using the @mcptoolshop/backpropagate MCP package, remove or sandbox the tool from any agent that does not require it, and verify agent tool allowlists.

How is it classified?

Auth Bypass Data Extraction DoS Training Data Model Framework AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0029 - Denial of AI Service AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.4 - Information security controls for AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms exist to sustain value of deployed AI systems

OWASP LLM Top 10

LLM04:2025 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-48797?

The backpropagate Python library for single-GPU LLM fine-tuning ships a Reflex web UI whose documented --auth flag is entirely non-functional: the CLI prints 'Auth: enabled' to the terminal, but the backend never reads the exported environment variable and registers no authentication middleware — meaning any client that reaches the port has unconditional full access to dataset upload, model loading, training orchestration, GGUF export, and HuggingFace Hub push. The deception is the most dangerous aspect: operators receive affirmative confirmation that security controls are active when they are not, extending the exposure window indefinitely. There is no EPSS score yet (CVE published 2026-06-16) and no active exploitation on record, but sophistication required is zero — a browser or curl is sufficient, and internet exposure is one --share flag away. Upgrade to v1.2.0 immediately; until patched, firewall the Reflex UI port and revoke any HuggingFace tokens used on affected hosts.

Is CVE-2026-48797 actively exploited?

No confirmed active exploitation of CVE-2026-48797 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48797?

1. Upgrade to backpropagate v1.2.0 — the release introduces functional authentication middleware in the Reflex backend. 2. Until patched, block the Reflex UI port (default 3000/tcp) at the host firewall or network perimeter. Never use --share on untrusted or shared networks. 3. Rotate any HuggingFace Hub tokens stored on hosts that ran 1.1.0 or 1.1.1 with the UI active. 4. Audit HuggingFace Hub for unexpected model pushes from your account. 5. Inspect training job logs and disk usage for runs not initiated by your team. 6. If using the @mcptoolshop/backpropagate MCP package, remove or sandbox the tool from any agent that does not require it, and verify agent tool allowlists.

What systems are affected by CVE-2026-48797?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, Single-GPU local training environments, HuggingFace Hub model publishing workflows, AI agent frameworks using MCP training tools, Multi-run training orchestration systems.

What is the CVSS score for CVE-2026-48797?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM fine-tuning pipelinesSingle-GPU local training environmentsHuggingFace Hub model publishing workflowsAI agent frameworks using MCP training toolsMulti-run training orchestration systems

MITRE ATLAS Techniques

AML.T0020 Poison Training Data

AML.T0025 Exfiltration via Cyber Means

AML.T0029 Denial of AI Service

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04:2025

What are the technical details?

Original Advisory

Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:pass — documented as "require HTTP Basic authentication on every request to the UI." and--share — documented as "expose the UI on a public address; requires --auth." When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0.

Exploitation Scenario

A researcher runs backpropagate 1.1.1 with --share --auth researcher:secret to allow a remote collaborator to monitor training. The CLI prints 'Auth: enabled (user: researcher)', the researcher trusts the output, and shares the public URL. An attacker scanning for Reflex UI fingerprints on common ports discovers the endpoint, connects without credentials, and is presented the full training dashboard. The attacker downloads the uploaded fine-tuning dataset (containing proprietary code or customer data), reads the model directory listing to enumerate the host filesystem, uploads a backdoor-injected dataset variant and triggers a new training run, and finally invokes the HuggingFace Hub push button to publish the poisoned model under the researcher's identity — causing anyone who pulls that model checkpoint to receive a backdoored artifact.

Weaknesses (CWE)

CWE-1295 Debug Messages Revealing Unnecessary Information CWE-358 Improperly Implemented Security Check for Standard CWE-862 Missing Authorization

CWE-1295 — Debug Messages Revealing Unnecessary Information: The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.