Impact
Backpropagate’s optional Reflex web UI was designed to be protected by the CLI flags --auth and --share, but the backend does not verify the authentication token it receives via BACKPROPAGATE_UI_AUTH. As a result, any client that connects to the listening port—whether local or exposed publicly via --share—has full access to data upload, model loading, training control, GGUF export, and HuggingFace push capabilities. The flaw is a classic authentication bypass (CWE‑862, CWE‑1295, CWE‑358). An attacker who can reach the port can read uploaded datasets, launch arbitrary training jobs, trigger external model pushes, drive a disk‑fill denial of service, and potentially execute code through the training pipeline. The attack can affect confidentiality, integrity, and availability of the host and hosted models.
Affected Systems
The vulnerability exists in the backpropagate Python library versions 1.1.0 and 1.1.1. It is fixed in version 1.2.0. The affected product is produced by mcp-tool-shop-org and distributed under the aliases mcp-tool-shop-org:@mcptoolshop/backpropagate and mcp-tool-shop-org:backpropagate.
Risk and Exploitability
The CVSS score of 9.3 classifies the flaw as Critical. The EPSS score of <1% indicates low but non‑zero exploitation probability, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is network‑based and does not require any user interaction beyond gaining network access to the bound port. If the --auth flag is supplied, the CLI announces that auth is enabled, but the backend ignores the token, so no authentication barrier exists. Thus any network host that can reach the UI port can exploit the flaw.
OpenCVE Enrichment
Github GHSA