Auth bypass in Mcp-tool-shop-org Backpropagate
CVE-2026-48797
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training…
Affected products
- Mcp-tool-shop-org Backpropagate — versions >= 1.1.0, < 1.2.0
- Mcp-tool-shop-org @Mcptoolshop/backpropagate — versions >= 1.1.0, < 1.2.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)