External risk intelligence

Backpropagate UI Unauthenticated Training Control Plane Access

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-48797

The Backpropagate library's web UI, intended for fine-tuning large language models, can expose training controls without authentication when accessible over a network. An attacker could leverage this to upload datasets, manipulate models, and trigger denial-of-service conditions, impacting data and system availability.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-48797

The vulnerability exists in a web UI for training orchestration. While it defaults to localhost, the software provides a --share flag documented to expose the UI on a public address. This makes it a common remote access or management service where public exposure is an intended or easily activated configuration for distributed training workflows.

PCI scan relevance

PCI Relevance for CVE-2026-48797

Yes

CVE-2026-48797 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated access to sensitive training controls, data uploads, and model operations, potentially leading to unauthorized access and denial-of-service conditions that would fail a PCI scan.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves an open web interface in the Backpropagate library, which is used for fine-tuning large language models. The interface, when exposed, allows unauthorized access to sensitive training controls and data, potentially enabling attackers to misuse the system or cause disruptions. The primary concern is to confirm if this specific technology is in use and if it has been exposed inappropriately.

  • Unsecured training controls in a model-tuning library.
  • Affects systems with exposed web UI for model training.
  • Confirm relevance and potential exposure to sensitive data.

Attack Path

How an attacker could exploit the issue

An attacker can reach the vulnerable training control plane if it is exposed to the network, either directly or through shared access. Once the port is reachable, the attacker can interact with the web UI to upload datasets, load models, start or stop training, and push models to HuggingFace Hub. This can lead to unauthorized access to sensitive data, arbitrary code execution through model training, and denial-of-service attacks.

  • Unauthenticated network access to the UI.
  • Interacting with the training control plane.
  • Data exposure, model manipulation, DoS.

Live Threat

Current exploitation, exposure, and threat context

When the optional Reflex web UI is exposed without authentication, any user reaching the bound port can access sensitive training controls. This includes uploading datasets, loading models, starting or stopping training, orchestrating multiple runs, exporting models, and pushing to HuggingFace Hub. An attacker could also trigger a disk-fill denial-of-service condition.

  • Uploaded datasets and local model paths.
  • Unauthenticated network access to the UI.
  • Training disruption and denial-of-service.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Backpropagate library's optional web UI, when used with specific flags, exposes unauthenticated training controls. Teams responsible for AI/ML development platforms or data science environments should first identify all instances of Backpropagate, confirm if the UI is exposed externally or internally, and ascertain which instances are business-critical or contain sensitive data. Subsequently, coordinate with the accountable owner to plan for remediation, prioritizing instances with the highest exposure or criticality.

  • Identify accountable AI/ML platform owners.
  • Verify external UI exposure and data sensitivity.
  • Plan remediation for critical, exposed instances.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Backpropagate library?

Backpropagate is a Python tool designed for fine-tuning large language models on a single GPU. It includes an optional web-based user interface, powered by the Reflex framework, which acts as a control plane for managing training workflows, such as uploading datasets, starting model training, and pushing finished models to platforms like the HuggingFace Hub.

Why is CVE-2026-48797 a security concern?

This vulnerability, categorized as Missing Authorization (CWE-862) and Improperly Check for Unusual or Exceptional Conditions (CWE-1295), stems from a failure to enforce authentication. Although the software's command-line interface suggests it can require a username and password, the backend ignores these settings. Consequently, anyone who accesses the interface gains full control over the training environment without providing credentials.

Do I need to expose the UI to trigger this bug?

The vulnerability is triggered whenever an attacker can reach the web UI's network port. If the software is launched without the --share flag, it typically binds only to the local machine, preventing remote access. However, if the service is configured to be accessible over a network, or if users rely on the --share flag, the interface becomes reachable and vulnerable to unauthorized interaction.

How do I know if my system is at risk?

According to Halo Surface Signal, this vulnerability presents a risk primarily when the web UI is configured for remote or shared access. You should be concerned if your organization uses Backpropagate in environments where the interface is accessible beyond the local host, especially if those instances are exposed to broader network segments or the public internet.

What should I do if I use Backpropagate?

The most effective solution is to upgrade to version 1.2.0, which resolves the authentication issue. If you cannot update immediately, stop using the --share flag, which exposes the interface. Instead, bind the service to localhost and use secure methods like SSH port-forwarding to access the UI remotely. Additionally, check any hosts previously exposed via --share and rotate any HuggingFace tokens that were active.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished