Exposure of sensitive Information allows account takeover
June 9, 2025
Products Impacted
This vulnerability is present in all versions of BackendAI. We tested on version 25.3.3 (commit f7f8fe33ea0230090f1d0e5a936ef8edd8cf9959).
CVSS Score: 8.0
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE Categorization
CWE-200: Exposure of Sensitive Information
Details
To reproduce this, we started an interactive session
Then, we can read /home/config/environ.txt and read the information.
Timeline
March 28, 2025 — Contacted vendor to let them know we have identified security vulnerabilities and ask how we should report them.
April 02, 2025 — Vendor answered letting us know their process, which we followed to send the report.
April 21, 2025 — Vendor sent confirmation that their security team was working on actions for two of the vulnerabilities and they were unable to reproduce another.
April 21, 2025 — Follow up email sent providing additional steps on how to reproduce the third vulnerability and offered to have a call with them regarding this.
May 30, 2025 — Attempt to reach out to vendor prior to public disclosure date.
June 03, 2025 — Final attempt to reach out to vendor prior to public disclosure date.
June 09, 2025 — HiddenLayer public disclosure.
Project URL
https://github.com/lablup/backend.ai
Researcher: Esteban Tonglet, Security Researcher, HiddenLayer
Researcher: Kasimir Schulz, Director, Security Research, HiddenLayer
Related SAI Security Advisory
June 12, 2026
Post-Authentication RCE via update_collection
Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.
June 12, 2026
V1 API Tenant Isolation Bypass via Null Tenant/Database Context
All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.