Debug Messages Revealing Unnecessary Information Affecting backpropagate package, versions [1.1.0,1.2.0)


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.32% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-BACKPROPAGATE-17675241
  • published29 Jun 2026
  • disclosed26 Jun 2026
  • creditUnknown

Introduced: 26 Jun 2026

NewCVE-2026-48797  (opens in a new tab)
CWE-1295  (opens in a new tab)
CWE-358  (opens in a new tab)
CWE-862  (opens in a new tab)

How to fix?

Upgrade backpropagate to version 1.2.0 or higher.

Overview

backpropagate is a Production-ready headless LLM fine-tuning with smart defaults, Windows support, and modular architecture

Affected versions of this package are vulnerable to Debug Messages Revealing Unnecessary Information in the authentication process. An attacker can gain unauthorized access to sensitive operations and data by connecting to the exposed UI endpoint without authentication. This allows reading uploaded datasets, triggering arbitrary training runs, pushing models to external repositories, causing disk exhaustion, and accessing user-supplied file paths, potentially leading to data exfiltration and supply-chain compromise.

Workaround

This vulnerability can be mitigated by not using the --auth or --share flags when launching the UI, restricting access to localhost, using SSH port-forwarding for remote access, and auditing deployments for potential exposure.

CVSS Base Scores

version 4.0
version 3.1