Listen to this Post
How CVE-2026-48797 Works
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI (installed via `pip install backpropagate
` and launched with <code>backprop ui</code>) exposes a training control plane with features such as dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push.
The CLI accepts two flags intended as security controls:
- `--auth user:pass` — documented as "require HTTP Basic authentication on every request to the UI."
- `--share` — documented as "expose the UI on a public address; requires --auth."
When `--auth user:pass` is passed, the CLI prints `Auth: enabled (user: <username>)` to confirm authentication is active, then exports `BACKPROPAGATE_UI_AUTH=user:pass` to the subprocess that launches the Reflex backend.
The critical flaw: The Reflex backend (<code>backpropagate/ui_app/</code>) never reads <code>BACKPROPAGATE_UI_AUTH</code>. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether `--share` is used — has full UI access.
An inline comment at `backpropagate/cli.py:1217-1218` in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet". This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced.
<h2 style="color: blue;">An attacker who reaches the bound port can:</h2>
<ul>
<li>Read uploaded datasets rendered in the UI preview, including content of any JSONL/CSV/TXT file the operator has uploaded.</li>
<li>Trigger arbitrary training runs against any base model the operator has installed locally or that can be downloaded from HuggingFace.</li>
<li>Trigger HuggingFace Hub pushes to repositories named via the UI input (subject to the operator's local HF token's scope).</li>
<li>Cause disk-fill DoS via the `rx.upload` endpoint (no size cap, no extension filter, no per-session count cap in v1.1.0/v1.1.1).</li>
<li>Read model paths (<code>source_model_path</code>, <code>dataset_path</code>, <code>model</code>, <code>uploaded_path</code>) which are user-supplied and bypass the `safe_path()` helper (path validation is dead code on the Reflex surface in v1.1.0/v1.1.1).
The combination of unauthenticated training control, HF push target spoofing, and path-input traversal makes the affected endpoint suitable for both data exfiltration and supply-chain attacks.
The local-only default (no <code>--share</code>) reduces exposure to a host-local attacker. The `--share` flag is documented as a "public URL" feature; operators who used `--share --auth user:pass` had no warning that the auth half was inert.
Patches were released in v1.2.0 (2026-05-23), implementing real ASGI middleware via `rx.App(api_transformer=basic_auth_transformer)` that gates HTTP routes AND the `/_event` WebSocket upgrade, alongside a 4-layer defense-in-depth.</li>
</ul>
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Backpropagate
Version: 1.1.0, 1.1.1
Vulnerability: Auth Bypass
Severity: Critical
date: 2026-05-22
<h2 style="color: blue;">Prediction: Already Patched (1.2.0)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics & Detection Commands</h2>
Check if the Reflex UI is exposed without authentication:
[bash]
Check if BACKPROPAGATE_UI_AUTH is set but not enforced
curl -s -o /dev/null -w "%{http_code}" http://localhost:7860/
If returns 200, authentication is bypassed
Check for the vulnerable version:
pip show backpropagate | grep Version If Version: 1.1.0 or 1.1.1 → VULNERABLE
Check if `–share` was used (audit running processes):
ps aux | grep "backprop ui" | grep "--share"
Check for the internal comment that confirms the gap:
grep -n "For Phase 1 the variable is exported but Reflex doesn't read it yet" \ $(python -c "import backpropagate, os; print(os.path.dirname(backpropagate.<strong>file</strong>))")/cli.py
Verify fix (v1.2.0):
After upgrade, authentication should be enforced
curl -s -o /dev/null -w "%{http_code}" http://localhost:7860/
Should return 401 Unauthorized
Exploit:
An attacker with network access to the bound port can:
1. Access the UI directly — navigate to `http://
2. Read uploaded datasets — access the dataset preview in the UI to view content of any JSONL/CSV/TXT file
3. Trigger arbitrary training runs — use the UI to launch training against any local or HuggingFace model
4. Push tampered models to HuggingFace Hub — use the UI’s HF push feature to upload malicious weights to the operator’s HF account
5. Cause disk-fill DoS — repeatedly upload large files via the `rx.upload` endpoint (no size cap, no extension filter)
6. Read sensitive paths — supply crafted source_model_path, dataset_path, model, or `uploaded_path` values to bypass `safe_path()` and traverse the filesystem
Example path traversal:
If the UI exposes model path inputs, an attacker could attempt:
POST /api/upload_model
{"model_path": "../../../etc/passwd"}
(path validation is dead code in v1.1.0/v1.1.1)
Protection:
Immediate (if cannot upgrade):
- Do not pass `–auth` or `–share` to
backprop ui. Run with no flags; it binds to localhost and accepts only clients that can reach 127.0.0.1 - For remote access, use SSH port-forwarding instead of
--share:On the client: ssh -L 7860:localhost:7860 <training-host> On the server: backprop ui no --share Then open http://localhost:7860 in your local browser
- Audit existing deployments. If any host running `backpropagate >= 1.1.0` has previously been launched with
--share, treat any uploaded training data, model paths, or HF push targets as potentially exposed. Re-issue HF tokens used during such sessions
Permanent fix:
- Upgrade to v1.2.0 (released 2026-05-23):
pip install --upgrade backpropagate npm install -g @mcptoolshop/backpropagate@latest
- Binary distribution gap: Standalone binaries (Windows .exe / macOS .app) failed to build for v1.2.0 and will land in a follow-up patch release. Users who relied on v1.1.x binaries should install via pip:
pip install backpropagate==1.2.0
Impact:
| Impact Area | Description |
|-|-|
| Data Exfiltration | Attackers can read uploaded datasets (JSONL/CSV/TXT) and model paths |
| Unauthorized Training | Arbitrary training runs can be triggered against any local or HuggingFace model |
| Supply Chain Attack | Tampered model weights can be pushed to the operator’s HuggingFace Hub account |
| Denial of Service | Disk-fill DoS via the `rx.upload` endpoint (no size cap, no extension filter, no per-session count cap) |
| Path Traversal | User-supplied paths (source_model_path, dataset_path, model, uploaded_path) bypass `safe_path()` validation |
| False Security Promise | Operators who used `–share –auth` had no warning that authentication was inert |
CVSS Score: Critical (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Discovered by: dogfood-swarm Stage A audit on 2026-05-22 (finding ID FRONTEND-A-001, classified CRITICAL)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
