CVE-2026-33879

CRITICAL

FLIP doesn't have rate limiting or brute-force protection on login

Title source: cna

Description

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.

References (1)

[X_Refsource_Confirm] https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 20.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (2)

aicentre/federated_learning_and_interoperability_platform < 0.1.1

londonaicentre/FLIP <= 0.1.1

Published Mar 27, 2026

Tracked Since Mar 29, 2026