CVE-2025-49652
CRITICAL9.8EPSS 0.23%BackendAI Missing Authentication for Critical Function
Published: 6/9/2025Modified: 2/3/2026
Description
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.
Affected packages (1)
- PyPI/backend-aifrom 0, < 25.15.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-49652
- PATCHhttps://github.com/lablup/backend.ai
- WEBhttps://github.com/lablup/backend.ai/commit/37fc8f70f9bad2dd01fe2e288f9006e96f9914ed
- WEBhttps://github.com/lablup/backend.ai/commit/b6d3ddd9e285a7ce59722a37585b9298681eb82f
- WEBhttps://github.com/lablup/backend.ai/commit/d7704f506e319acff205d91bfca6e2ca92939983
- WEBhttps://hiddenlayer.com/sai_security_advisor/2025-05-backendai-49653
- WEBhttps://hiddenlayer.com/sai_security_advisor/2025-06-backendai