CVE-2026-33879
Published: 27 March 2026
Summary
CVE-2026-33879 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Aicentre Federated Learning And Interoperability Platform. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces limits on consecutive unsuccessful logon attempts, comprehensively mitigating brute-force and credential-stuffing attacks on the FLIP login page.
Enforces tailored identification and authentication requirements for non-organizational external FLIP users, including mechanisms like rate limiting or CAPTCHA to restrict excessive attempts.
Limits the effects of denial-of-service events from brute-force flooding of the login page, addressing the availability impact of automated attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of rate limiting/CAPTCHA on login page directly enables automated brute-force password guessing (T1110.001) and credential stuffing (T1110.004) to obtain valid accounts (T1078).
NVD Description
Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login page in versions 0.1.1 and prior has no rate limiting or CAPTCHA, enabling brute-force…
more
and credential-stuffing attacks. FLIP users are external to the organization, increasing credential reuse risk. As of time of publication, it is unclear if a patch is available.
Deeper analysisAI
CVE-2026-33879 affects the Federated Learning and Interoperability Platform (FLIP), an open-source platform designed for federated training and evaluation of medical imaging AI models across healthcare institutions. The vulnerability resides in the FLIP login page in versions 0.1.1 and prior, which lacks rate limiting or CAPTCHA protections. This enables brute-force and credential-stuffing attacks, exacerbated by FLIP's use of external users outside the organization, heightening risks from credential reuse. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful attacks allow unauthorized access to FLIP accounts via automated guessing of credentials, potentially compromising high-impact confidentiality, integrity, and availability. Given the platform's role in handling sensitive medical imaging data across institutions, attackers could gain entry to federated AI training environments.
The GitHub Security Advisory (GHSA-p34f-488j-5cwv) details the issue but notes that, as of publication on 2026-03-27, it is unclear if a patch is available for affected versions.
FLIP's focus on federated learning for medical AI models introduces domain-specific risks, as compromised credentials could disrupt collaborative AI development in healthcare settings. No real-world exploitation has been reported at the time of publication.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai