CVE-2026-33879

FLIP doesn't have rate limiting or brute-force protection on login

CVSS 2.7 LOWEPSS 0.3%CWE-307

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Affected products

londonaicentre · FLIP

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/londonaicentre/FLIP/security/advisories/GHSA-p34f-488j-5cwv