{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33879", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.680Z", "datePublished": "2026-03-27T20:31:50.559Z", "dateUpdated": "2026-03-30T15:36:42.454Z"}, "containers": {"cna": {"title": "FLIP doesn't have rate limiting or brute-force protection on login", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv"}], "affected": [{"vendor": "londonaicentre", "product": "FLIP", "versions": [{"version": "<= 0.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:32:19.099Z"}, "descriptions": [{"lang": "en", "value": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available."}], "source": {"advisory": "GHSA-p34f-488j-5cwv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:36:32.083153Z", "id": "CVE-2026-33879", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:36:42.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:36:32.083153Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:36:37.935Z"}}], "cna": {"title": "FLIP doesn't have rate limiting or brute-force protection on login", "source": {"advisory": "GHSA-p34f-488j-5cwv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "londonaicentre", "product": "FLIP", "versions": [{"status": "affected", "version": "<= 0.1.1"}]}], "references": [{"url": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv", "name": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:32:19.099Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33879", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:36:42.454Z", "dateReserved": "2026-03-24T15:10:05.680Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:31:50.559Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aicentre:federated_learning_and_interoperability_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1D679AF-BC06-487B-BAE2-506A34303BDF", "versionEndExcluding": "0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available."}], "id": "CVE-2026-33879", "lastModified": "2026-04-08T14:49:00.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:24.537", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FLIP", "source": "cna", "vendor": "londonaicentre"}, "product": "flip", "vendor": "londonaicentre"}], "analysis": {"en": {"generated_at": "2026-04-08T16:28:30.472619+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011proposed patch as soon as it becomes available", "If a patch is unavailable, configure a reverse proxy or web\u2011application firewall to enforce rate limiting on POST requests to the login endpoint", "Add a CAPTCHA or other bot\u2011deterrent mechanism to the login form", "Enforce strong, unique passwords and consider implementing multi\u2011factor authentication", "Disable or restrict external access to the login page if the platform does not require it"], "summary": {"action": "Immediate Patch", "impact": "Brute Force Credential Compromise"}, "threat_synthesis": {"affected_systems": "The platform affected is the Federated Learning and Interoperability Platform (FLIP) from londonaicentre, specifically releases 0.1.1 and all earlier versions.", "description_and_impact": "In 0.1.1 and earlier versions of FLIP, the login page lacks mechanisms to limit the number of failed authentication attempts or to present a CAPTCHA, allowing attackers to perform automated brute\u2011force or credential\u2011stuffing attacks. The vulnerability can compromise user accounts that belong to external healthcare institutions, potentially exposing sensitive information or facilitating further malicious activity in the federated learning environment. The weakness is a classic instance of weak authentication controls (CWE\u2011307).", "risk_and_exploitability": "The CVSS base score of 2.7 indicates a low severity, and the EPSS score is under 1%, suggesting that the overall likelihood of exploitation is presently low. However, the vulnerability is not listed in KEV, so no confirmed active exploits are known yet. Attackers would reach the vulnerable entry point through the public login page, attempting repeated credential submissions without any server\u2011side rate limiting. While successful exploitation requires valid or guessable credentials, the absence of account lock\u2011out or rate measurement lowers the effort required for credential\u2011stuffing."}}}}, "created": "2026-03-29T20:30:09.015332+00:00", "updated": "2026-04-08T20:01:03.017712+00:00", "vendors": ["londonaicentre", "londonaicentre$PRODUCT$flip"]}