CVE-2025-49652 – backend-ai

Package

Manager: pip
Name: backend-ai
Vulnerable Version: =1.0.0 || =1.0.1 || =1.0.2 || =1.1.0 || =1.2.0 || =1.3.0 || =1.4.0 || =18.12.0 || =19.3.0 || =19.3.0a1 || =19.9.0 || =20.3.0 || =20.3.1 || =20.9.0 || =20.9.0a1.dev0 || =21.3.0 || =22.3.0 || >=0 <=25.3.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00091 pctl0.26714

Details

BackendAI Missing Authentication for Critical Function Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.

Metadata

Created: 2025-06-09T18:32:17Z
Modified: 2025-06-11T18:12:18.325637Z
Source: https://osv-vulnerabilities
CWE IDs: ["CWE-306"]
Alternative ID: N/A
Finding: F006
Auto approve: 1