Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Description
Backpropagate UI's --auth flag does not enforce authentication, allowing unauthenticated access to the training control plane.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Backpropagate UI's --auth flag does not enforce authentication, allowing unauthenticated access to the training control plane.
Vulnerability
In backpropagate versions 1.1.0 and 1.1.1, the optional Reflex web UI (pip install backpropagate[ui]) exposes a training control plane without authentication. The CLI accepts --auth user:pass and --share flags intended as security controls, but the Reflex backend never reads the BACKPROPAGATE_UI_AUTH environment variable. No authentication middleware or request-level guard is implemented, leaving the UI fully accessible to any client reaching the bound port. An inline comment in backpropagate/cli.py:1217-1218 acknowledges the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." [1]
Exploitation
An attacker who can reach the bound port—locally or remotely if --share is used—can access the UI without any authentication. No user interaction or special privileges are required. The attacker simply connects to the exposed endpoint and gains full control over the training interface. [1]
Impact
Successful exploitation allows an attacker to read uploaded datasets (including JSONL/CSV/TXT files), trigger arbitrary training runs against any locally installed or downloadable base models, initiate HuggingFace Hub pushes, and cause a disk-fill denial of service by repeatedly triggering training runs. [1]
Mitigation
The vulnerability is fixed in version 1.2.0, which implements real ASGI middleware with multiple authentication modes and host/origin allowlists. [2] Operators who cannot immediately upgrade should run backprop ui without --auth or --share flags (binding to localhost only) and use SSH port forwarding (ssh -L 7860:localhost:7860 ) for remote access. Any host previously launched with --share should be audited and HuggingFace tokens used during those sessions should be re-issued. [1]
AI Insight generated on Jun 17, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Reflex backend never reads the BACKPROPAGATE_UI_AUTH environment variable, so no authentication middleware is registered despite the CLI claiming it is enabled."
Attack vector
An attacker who can reach the bound port—either locally or remotely if `--share` is used—has full unauthenticated access to the training control plane. The CLI's `--auth user:pass` flag prints a confirmation message and exports `BACKPROPAGATE_UI_AUTH` to the subprocess, but the Reflex backend never enforces HTTP Basic authentication on any HTTP route or WebSocket upgrade. [ref_id=1] The operator-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced, creating a false sense of security. [ref_id=1]
Affected code
The Reflex backend (`backpropagate/ui_app/**`) never reads the `BACKPROPAGATE_UI_AUTH` environment variable that the CLI exports. No authentication middleware is registered, no request-level guard runs, and no WebSocket upgrade guard runs. An inline comment at `backpropagate/cli.py:1217-1218` in v1.1.0 documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." [ref_id=1]
What the fix does
The fix in v1.2.0 implements real ASGI middleware via `rx.App(api_transformer=basic_auth_transformer)` that gates HTTP routes and the `/_event` WebSocket upgrade. [ref_id=1] It introduces four authentication modes (`no_auth_local_only`, `token_auto`, `explicit_creds`, `production`), HMAC-signed cookie validation performed before `websocket.accept()`, and Host/Origin allowlists. [ref_id=2] The patch also adds a 4-layer defense-in-depth across `cli.py`, `ui_app/app.py`, `rxconfig.py`, and the env-strip surface so that even direct `python -m reflex run` invocations (bypassing the CLI guard) enforce authentication. [ref_id=1]
Preconditions
- configThe backpropagate UI must be launched with `--auth` and/or `--share` flags (or bound to a non-localhost address)
- networkThe attacker must be able to reach the port the Reflex UI is bound to (localhost if no `--share`, or a public address if `--share` is used)
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/mcp-tool-shop-org/backpropagate/releases/tag/v1.2.0mitrex_refsource_MISC
- github.com/mcp-tool-shop-org/backpropagate/security/advisories/GHSA-f65r-h4g3-3h9hmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.