Description
Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.
Published: 2026-03-27
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Brute Force Credential Compromise
Action: Immediate Patch
AI Analysis

Impact

In 0.1.1 and earlier versions of FLIP, the login page lacks mechanisms to limit the number of failed authentication attempts or to present a CAPTCHA, allowing attackers to perform automated brute‑force or credential‑stuffing attacks. The vulnerability can compromise user accounts that belong to external healthcare institutions, potentially exposing sensitive information or facilitating further malicious activity in the federated learning environment. The weakness is a classic instance of weak authentication controls (CWE‑307).

Affected Systems

The platform affected is the Federated Learning and Interoperability Platform (FLIP) from londonaicentre, specifically releases 0.1.1 and all earlier versions.

Risk and Exploitability

The CVSS base score of 2.7 indicates a low severity, and the EPSS score is under 1%, suggesting that the overall likelihood of exploitation is presently low. However, the vulnerability is not listed in KEV, so no confirmed active exploits are known yet. Attackers would reach the vulnerable entry point through the public login page, attempting repeated credential submissions without any server‑side rate limiting. While successful exploitation requires valid or guessable credentials, the absence of account lock‑out or rate measurement lowers the effort required for credential‑stuffing.

Generated by OpenCVE AI on April 8, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑proposed patch as soon as it becomes available
  • If a patch is unavailable, configure a reverse proxy or web‑application firewall to enforce rate limiting on POST requests to the login endpoint
  • Add a CAPTCHA or other bot‑deterrent mechanism to the login form
  • Enforce strong, unique passwords and consider implementing multi‑factor authentication
  • Disable or restrict external access to the login page if the platform does not require it

Generated by OpenCVE AI on April 8, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Aicentre
Aicentre federated Learning And Interoperability Platform
CPEs cpe:2.3:a:aicentre:federated_learning_and_interoperability_platform:*:*:*:*:*:*:*:*
Vendors & Products Aicentre
Aicentre federated Learning And Interoperability Platform
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Londonaicentre
Londonaicentre flip
Vendors & Products Londonaicentre
Londonaicentre flip

Fri, 27 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.
Title FLIP doesn't have rate limiting or brute-force protection on login
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aicentre Federated Learning And Interoperability Platform
Londonaicentre Flip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T15:36:42.454Z

Reserved: 2026-03-24T15:10:05.680Z

Link: CVE-2026-33879

cve-icon Vulnrichment

Updated: 2026-03-30T15:36:37.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:24.537

Modified: 2026-04-08T14:49:00.883

Link: CVE-2026-33879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:03Z

Weaknesses