CVE-2025-49652

| EUVD-2025-17554 CRITICAL
2025-06-09 6f8de1f0-f67e-45a6-b68f-98777fdb759c GHSA-ww28-4m4v-cq4j
Authentication Bypass
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17554
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 18:15 nvd
CRITICAL 9.8

DescriptionNVD

Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.

AnalysisAI

Critical authentication bypass vulnerability in Lablup's BackendAI registration feature that allows unauthenticated attackers to create arbitrary user accounts and access private data, even when registration is administratively disabled. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses an immediate and severe risk to all BackendAI deployments. The vulnerability enables account creation without proper authentication controls (CWE-306), potentially allowing attackers to gain unauthorized access to sensitive computational resources and data.

Technical ContextAI

The vulnerability exists in the user registration endpoint of Lablup's BackendAI platform, a distributed deep learning/AI infrastructure framework. The root cause is classified under CWE-306 (Missing Authentication for Critical Function), indicating that the registration feature fails to properly validate user identity before account creation. BackendAI is designed to manage access to compute resources and data through user accounts; the absence of authentication controls on the registration mechanism bypasses the intended access control model entirely. The vulnerability affects the API authentication layer, specifically where user account creation requests are processed without validating that the requester is an authorized administrator or has legitimate registration privileges. This is a failure in the critical function of account provisioning, which should be restricted to administrators or disabled entirely when not in use.

RemediationAI

  1. IMMEDIATE: Disable or restrict the registration endpoint at the API gateway/reverse proxy level until patching is complete. 2. Implement network-level access controls to restrict registration endpoint access to authorized administrators only. 3. Review account creation logs for unauthorized accounts created during potential exposure window. 4. Audit created accounts for suspicious activity or resource access patterns. 5. Update to patched BackendAI version (patch version number not specified in provided data—consult Lablup security advisories at https://github.com/lablup/backend.ai or vendor security page). 6. Implement proper authentication middleware on all account management endpoints. 7. Add rate limiting and account creation quotas to limit automated exploitation impact. 8. Enable comprehensive logging and monitoring of all authentication and account creation events. 9. Force password reset for all existing accounts as precautionary measure. 10. Implement CAPTCHA or multi-factor verification for account creation when re-enabled.

Share

CVE-2025-49652 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy