Critical severity9.8NVD Advisory· Published Jun 9, 2025· Updated Apr 15, 2026
CVE-2025-49652
CVE-2025-49652
Description
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
backend.aiPyPI | < 25.15.6 | 25.15.6 |
backend.aiPyPI | >= 25.16.0rc1, < 25.19.0rc1 | 25.19.0rc1 |
Patches
337fc8f70f9bafeat(BA-3446): Change default signup status to inactive (#7520) (#7544)
2 files changed · +2 −1
changes/7520.feature.md+1 −0 added@@ -0,0 +1 @@ +Change default signup status to inactive preventing newly registered accounts access system resources until an administrator explicitly activates them
src/ai/backend/manager/services/auth/service.py+1 −1 modified@@ -226,7 +226,7 @@ async def signup(self, action: SignupAction) -> SignupActionResult: "need_password_change": False, "full_name": action.full_name if action.full_name is not None else "", "description": action.description if action.description is not None else "", - "status": UserStatus.ACTIVE, + "status": UserStatus.INACTIVE, "status_info": "user-signup", "role": UserRole.USER, "integration_id": None,
d7704f506e31feat(BA-3446): Change default signup status to inactive (#7520) (#7545)
2 files changed · +2 −1
changes/7520.feature.md+1 −0 added@@ -0,0 +1 @@ +Change default signup status to inactive preventing newly registered accounts access system resources until an administrator explicitly activates them
src/ai/backend/manager/services/auth/service.py+1 −1 modified@@ -228,7 +228,7 @@ async def signup(self, action: SignupAction) -> SignupActionResult: "need_password_change": False, "full_name": action.full_name if action.full_name is not None else "", "description": action.description if action.description is not None else "", - "status": UserStatus.ACTIVE, + "status": UserStatus.INACTIVE, "status_info": "user-signup", "role": UserRole.USER, "integration_id": None,
b6d3ddd9e285feat(BA-3446): Change default signup status to inactive (#7520)
2 files changed · +2 −1
changes/7520.feature.md+1 −0 added@@ -0,0 +1 @@ +Change default signup status to inactive preventing newly registered accounts access system resources until an administrator explicitly activates them
src/ai/backend/manager/services/auth/service.py+1 −1 modified@@ -221,7 +221,7 @@ async def signup(self, action: SignupAction) -> SignupActionResult: "need_password_change": False, "full_name": action.full_name if action.full_name is not None else "", "description": action.description if action.description is not None else "", - "status": UserStatus.ACTIVE, + "status": UserStatus.INACTIVE, "status_info": "user-signup", "role": UserRole.USER, "integration_id": None,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-ww28-4m4v-cq4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49652ghsaADVISORY
- github.com/lablup/backend.ai/commit/37fc8f70f9bad2dd01fe2e288f9006e96f9914edghsaWEB
- github.com/lablup/backend.ai/commit/b6d3ddd9e285a7ce59722a37585b9298681eb82fghsaWEB
- github.com/lablup/backend.ai/commit/d7704f506e319acff205d91bfca6e2ca92939983ghsaWEB
- hiddenlayer.com/sai_security_advisor/2025-05-backendai-49653ghsaWEB
- hiddenlayer.com/sai_security_advisor/2025-06-backendaighsaWEB
- hiddenlayer.com/sai_security_advisor/2025-06-backendai/nvd
News mentions
0No linked articles in our index yet.