CVE-2025-49652 | THREATINT

Description

Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.

PUBLISHED Reserved 2025-06-09 | Published 2025-06-09 | Updated 2025-06-11 | Assigner HiddenLayer

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

affected

Credits

Esteban Tonglet finder

References

hiddenlayer.com/sai_security_advisor/2025-06-backendai/

cve.org (CVE-2025-49652)

nvd.nist.gov (CVE-2025-49652)

Download JSON