CVE-2026-33879 LOW

CVE-2026-33879: FLIP doesn't have rate limiting or brute-force protection on login

Vendor Londonaicentre
Product FLIP
Weakness CWE-307 · Brute force
Published March 27, 2026
Last update March 30, 2026

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 30, 2026 Record updated