{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33879", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.680Z", "datePublished": "2026-03-27T20:31:50.559Z", "dateUpdated": "2026-03-30T15:36:42.454Z"}, "containers": {"cna": {"title": "FLIP doesn't have rate limiting or brute-force protection on login", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv"}], "affected": [{"vendor": "londonaicentre", "product": "FLIP", "versions": [{"version": "<= 0.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:32:19.099Z"}, "descriptions": [{"lang": "en", "value": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available."}], "source": {"advisory": "GHSA-p34f-488j-5cwv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:36:32.083153Z", "id": "CVE-2026-33879", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:36:42.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:36:32.083153Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:36:37.935Z"}}], "cna": {"title": "FLIP doesn't have rate limiting or brute-force protection on login", "source": {"advisory": "GHSA-p34f-488j-5cwv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "londonaicentre", "product": "FLIP", "versions": [{"status": "affected", "version": "<= 0.1.1"}]}], "references": [{"url": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv", "name": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:32:19.099Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33879", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:36:42.454Z", "dateReserved": "2026-03-24T15:10:05.680Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:31:50.559Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available."}], "id": "CVE-2026-33879", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:24.537", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FLIP", "source": "cna", "vendor": "londonaicentre"}, "product": "flip", "vendor": "londonaicentre"}], "analysis": {"en": {"generated_at": "2026-03-28T05:59:59.964973+00:00", "value": {"mitigation_remediation": ["Apply a patch or upgrade to a later FLIP version once available from the vendor", "Implement rate limiting or CAPTCHA on the login interface to restrict login attempts", "Configure account lockout after a set number of failed attempts", "Monitor and log authentication attempts for anomalous activity", "Restrict external user access where possible and enforce strong, unique passwords"], "summary": {"action": "Assess Impact", "impact": "Unauthorized access through brute\u2011force login attempts"}, "threat_synthesis": {"affected_systems": "The vulnerability affects editions of FLIP 0.1.1 and earlier, released by Londonaicentre. Only this version series is known to be susceptible; newer releases are not indicated as affected.", "description_and_impact": "The Federated Learning and Interoperability Platform exhibits no rate limiting or CAPTCHA on its login page. This allows attackers to perform automated and potentially large\u2011scale credential stuffing or brute\u2011force attacks. If successful, the attacker could gain unauthorized access to FLIP, exposing or tampering with federated medical imaging models and associated data, thus compromising confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 2.7 indicates a low to moderate severity, but the lack of mitigation measures opens a clear attack path over the network. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, involving repeated login attempts from external sources, especially targeting users who may reuse credentials across institutions. Because FLIP users are typically external, credential reuse could amplify the risk."}}}}, "created": "2026-03-29T20:30:09.015332+00:00", "updated": "2026-03-30T07:00:27.548894+00:00", "vendors": ["londonaicentre", "londonaicentre$PRODUCT$flip"]}