Cyber Resilience

CVE-2026-33879

Low

Published: 27 March 2026

Published
27 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 2.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.2th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-33879 is a low-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Aicentre Federated Learning And Interoperability Platform. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-33879 affects the Federated Learning and Interoperability Platform (FLIP), an open-source platform designed for federated training and evaluation of medical imaging AI models across healthcare institutions. The vulnerability resides in the FLIP login page in versions 0.1.1 and prior, which lacks rate limiting or CAPTCHA protections. This enables brute-force and credential-stuffing attacks, exacerbated by FLIP's use of external users outside the organization, heightening risks from credential reuse. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful attacks allow unauthorized access to FLIP accounts via automated guessing of credentials, potentially compromising high-impact confidentiality, integrity, and availability. Given the platform's role in handling sensitive medical imaging data across institutions, attackers could gain entry to federated AI training environments.

The GitHub Security Advisory (GHSA-p34f-488j-5cwv) details the issue but notes that, as of publication on 2026-03-27, it is unclear if a patch is available for affected versions.

FLIP's focus on federated learning for medical AI models introduces domain-specific risks, as compromised credentials could disrupt collaborative AI development in healthcare settings. No real-world exploitation has been reported at the time of publication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force…

more

and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1110.004 Credential Stuffing Credential Access
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
Why these techniques?

Lack of rate limiting/CAPTCHA on login page directly enables automated brute-force password guessing (T1110.001) and credential stuffing (T1110.004) to obtain valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40586Shared CWE-307
CVE-2026-43914Shared CWE-307
CVE-2025-25595Shared CWE-307
CVE-2026-32295Shared CWE-307
CVE-2023-54347Shared CWE-307
CVE-2026-22616Shared CWE-307
CVE-2026-36959Shared CWE-307
CVE-2024-51476Shared CWE-307
CVE-2025-64310Shared CWE-307
CVE-2025-12995Shared CWE-307

Affected Assets

aicentre
federated learning and interoperability platform
≤ 0.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive unsuccessful logon attempts, comprehensively mitigating brute-force and credential-stuffing attacks on the FLIP login page.

prevent

Enforces tailored identification and authentication requirements for non-organizational external FLIP users, including mechanisms like rate limiting or CAPTCHA to restrict excessive attempts.

prevent

Limits the effects of denial-of-service events from brute-force flooding of the login page, addressing the availability impact of automated attacks.

References