CVE-2025-49652
BackendAI Missing Authentication for Critical Function
9.8
CRITICAL
CVSS 3.1
EPSS 0.23%
Description
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.
How to fix CVE-2025-49652
To remediate CVE-2025-49652, upgrade the affected package to a fixed version below.
- PyPI/backend-ai—upgrade to 25.15.6 or later
Is CVE-2025-49652 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 25.15.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |