CVE-2025-49652 – backend.ai

Package

Manager: pip
Name: backend.ai
Vulnerable Version: >=0 <=25.3.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00091 pctl0.26714

Details

BackendAI Missing Authentication for Critical Function Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.

Metadata

Created: 2025-06-09T18:32:17Z
Modified: 2025-06-11T17:37:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-ww28-4m4v-cq4j/GHSA-ww28-4m4v-cq4j.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-ww28-4m4v-cq4j
Finding: F006
Auto approve: 1