Skip to main content

Flip CVE-2026-33879

| EUVDEUVD-2026-16818 LOW
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-03-27 GitHub_M
2.7
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 21:15 euvd
EUVD-2026-16818
Analysis Generated
Mar 27, 2026 - 21:15 vuln.today
CVE Published
Mar 27, 2026 - 20:31 nvd
LOW 2.7

DescriptionGitHub Advisory

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.

AnalysisAI

The FLIP login page in versions 0.1.1 and prior lacks rate limiting and CAPTCHA protection, enabling unauthenticated remote attackers to conduct brute-force and credential-stuffing attacks against user accounts. The vulnerability affects the Federated Learning and Interoperability Platform, an open-source medical imaging AI training system where users are typically external to host organizations, amplifying the risk of credential reuse. While the CVSS score is low (2.7), the attack vector is network-based, requires no authentication or interaction, and directly enables unauthorized account access with potential integrity impact.

Technical ContextAI

The vulnerability stems from inadequate input validation and missing rate-limiting controls on the authentication endpoint (CWE-307: Improper Restriction of Rendered UI Layers or Frames). FLIP is a federated learning platform designed for collaborative medical imaging AI model training across healthcare institutions. The login mechanism lacks protective mechanisms such as exponential backoff, account lockout, or CAPTCHA challenges that would slow or block repeated authentication attempts. This is a classic implementation flaw in the authentication layer where the platform prioritizes availability over brute-force resilience. The affected product is distributed as open-source software via GitHub (CPE: cpe:2.3:a:londonaicentre:flip:*:*:*:*:*:*:*:*), making the vulnerability and attack surface publicly visible to all developers and potential attackers.

RemediationAI

Implement immediate compensating controls: deploy a web application firewall or reverse proxy with rate-limiting rules (e.g., 5 failed attempts per 15 minutes per source IP, account lockout after 10 failures) and enable CAPTCHA challenges after 3 consecutive failed login attempts. Upgrade to the patched version once available-check the GitHub security advisory at https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv for release details. In the interim, consider requiring multi-factor authentication for all user accounts to reduce the impact of credential compromise, and audit login logs for suspicious authentication patterns indicating active brute-force attempts. No vendor-released patch version is independently confirmed at time of analysis; contact London AI Centre via the GitHub advisory channel for patch availability and timeline.

Share

CVE-2026-33879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy