FLIP doesn’t have rate limiting or brute-force protection on login

2.7 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Description

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.

Basic Information

ID CVE-2026-33879

Source GitHub_M

Published Mar 27, 2026 at 20:31

Modified Mar 30, 2026 at 15:36

Affected Product

Vendor londonaicentre

Product FLIP

Version <= 0.1.1

Affected Versions londonaicentre FLIP <= 0.1.1

CWE Classification

CWE-307

References

github.com /londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv

{
    "lastseen": "",
    "description": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.",
    "published": "2026-03-27T20:31:50.559Z",
    "modified": "2026-03-30T15:36:42.454Z",
    "type": "cve",
    "title": "FLIP doesn't have rate limiting or brute-force protection on login",
    "source": "GitHub_M",
    "references": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv",
    "id": "CVE-2026-33879",
    "bulletinFamily": "",
    "cwe": [
        "CWE-307"
    ],
    "cvelist": null,
    "sourceData": "londonaicentre FLIP <= 0.1.1",
    "sourceHref": "",
    "cvss": {
        "score": 2.7,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FLIP",
    "version": "<= 0.1.1",
    "vendor": "londonaicentre",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FLIP doesn’t have rate limiting or brute-force protection on login_CVE-2026-33879