CVE-2025-49652: BackendAI Missing Authentication for Critical Function

June 9, 2025 (updated June 11, 2025)

Missing Authentication in the registration feature of Lablup’s BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.

References

github.com/advisories/GHSA-ww28-4m4v-cq4j
github.com/lablup/backend.ai
hiddenlayer.com/sai_security_advisor/2025-05-backendai-49653
hiddenlayer.com/sai_security_advisor/2025-06-backendai
nvd.nist.gov/vuln/detail/CVE-2025-49652

Code Behaviors & Features

Detect and mitigate CVE-2025-49652 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →