FLIP Platform Login Vulnerable to Brute-Force Attacks
CVE Notify is flagging a critical vulnerability in the Federated Learning and Interoperability Platform (FLIP). This open-source platform, used for training and evaluating AI models on medical imaging data across healthcare institutions, has a glaring security hole in its login page for versions 0.1.1 and earlier. The issue stems from a lack of rate limiting and CAPTCHA protection, making it an open invitation for brute-force and credential-stuffing attacks.
The risk is amplified because FLIP users are typically external to the organizations deploying the platform. This often leads to users reusing credentials across multiple services, a practice that significantly increases the likelihood of successful credential stuffing. If an attacker gets hold of even a few leaked credentials, they could potentially gain unauthorized access to sensitive medical imaging AI models and data hosted on FLIP.
As of this report, CVE Notify indicates itβs uncertain whether a patch has been released to address this vulnerability. Organizations using FLIP should urgently investigate their version and assess their exposure.
What This Means For You
- Security teams must immediately verify the FLIP platform version in use and, if running 0.1.1 or prior, implement strict access controls and monitor for suspicious login attempts, even if a patch is not yet confirmed, to mitigate the risk of credential stuffing.
Related ATT&CK Techniques
π‘οΈ Detection Rules
1 rule Β· 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.
Web Application Exploitation Attempt β CVE-2026-33879
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33879 | Auth Bypass | Federated Learning and Interoperability Platform (FLIP) versions 0.1.1 and prior, login page, lack of rate limiting or CAPTCHA |
Related coverage
npm Boosts Supply Chain Security with 2FA-Gated Staged Publishing
GitHub has rolled out new controls for npm, significantly enhancing software supply chain security. The Hacker News reports that these features, now generally available, introduce...
Packagist Supply Chain Attack Infects 8 Packages with Linux Malware
A new, coordinated supply chain attack has compromised eight packages on Packagist. The attack injects malicious code designed to retrieve and execute a Linux binary...
Anthropic AI Finds 10,000 High-Severity Flaws in Critical Software
Anthropic's Project Glasswing, an AI-driven cybersecurity initiative, has reportedly uncovered over 10,000 high- or critical-severity vulnerabilities in globally significant software. The Hacker News reports that...