Summary
In backpropagate >= 1.1.0, the optional Reflex web UI (pip install backpropagate[ui], launched via backprop ui) exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push.
The CLI accepts two operator-facing flags intended as security controls:
--auth user:pass — documented as "require HTTP Basic authentication on every request to the UI."
--share — documented as "expose the UI on a public address; requires --auth."
When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend.
The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access.
An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced.
This advisory is filed primarily because the runtime contradicted an operator-facing security claim. Code-only bugs of comparable shape (auth check missing entirely from a path) would already warrant disclosure; the additional false-promise dimension raises the severity.
Impact
An attacker who reaches the bound port can:
- Read uploaded datasets rendered in the UI preview, including content of any JSONL/CSV/TXT file the legitimate operator has uploaded for fine-tuning.
- Trigger arbitrary training runs against any base model the operator has installed locally or that can be downloaded from HuggingFace.
- Trigger HuggingFace Hub pushes to repositories named via the UI input (subject to the operator's local HF token's scope — typically all repos owned by the operator).
- Cause disk-fill DoS via the
rx.upload endpoint (no size cap, no extension filter, no per-session count cap in v1.1.0 / v1.1.1).
- Read model paths (
source_model_path, dataset_path, model, uploaded_path) which are user-supplied and bypass the safe_path() helper that lives in backpropagate/ui_security.py (path validation is dead code on the Reflex surface in v1.1.0 / v1.1.1).
The combination of unauthenticated training control, HF push target spoofing, and path-input traversal makes the affected endpoint suitable for both data exfiltration (reading uploaded training data) and supply-chain attacks (pushing tampered model weights to the operator's HF account).
The local-only default (no --share) reduces exposure to a host-local attacker. The --share flag is documented as a "public URL" feature; operators who used --share --auth user:pass had no warning that the auth half was inert.
Patches
Fixed in v1.2.0 (released 2026-05-23). The patch implements real ASGI middleware via rx.App(api_transformer=basic_auth_transformer) that gates HTTP routes AND the /_event WebSocket upgrade. Four modes (no_auth_local_only / token_auto / explicit_creds / production), HMAC-signed cookie validated PRE-websocket.accept(), Host + Origin allowlists. The middleware ships alongside a 4-layer defense in depth at the cli.py / ui_app/app.py / rxconfig.py / env-strip surfaces so direct python -m reflex run invocations (bypassing the CLI guard) also enforce authentication.
Upgrade with:
- pip:
pip install --upgrade backpropagate
- npm:
npm install -g @mcptoolshop/backpropagate@latest
Full release notes: https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23
Workarounds
If users cannot upgrade immediately:
- Do not pass
--auth or --share to backprop ui. Run the UI with no flags (backprop ui); it will bind to localhost and accept any client that can reach 127.0.0.1.
- For remote access, use SSH port-forwarding instead of
--share:
# On the client:
ssh -L 7860:localhost:7860 <training-host>
# On the server:
backprop ui # no --share
# Then open http://localhost:7860 in your local browser.
SSH provides the authentication layer the Reflex UI did not.
- Audit existing deployments. If any host running
backpropagate >= 1.1.0 has previously been launched with --share, treat any uploaded training data, model paths, or HF push targets visible in that UI session as potentially exposed. Re-issue HF tokens that have been in use during such sessions.
Binary distribution gap. Standalone binaries (Windows .exe / macOS .app via PyInstaller) failed to build for v1.2.0 and will land in a follow-up patch release. In the interim, users who relied on the v1.1.x binary distribution should install the patched version via pip install backpropagate==1.2.0 to receive the auth-bypass fix. The v1.2.0 PyPI package and @mcptoolshop/backpropagate@1.2.0 npm package both carry the patched code.
Credit
Discovered by the dogfood-swarm Stage A audit on 2026-05-22 (finding ID FRONTEND-A-001, classified CRITICAL). The audit also surfaced contradicting documentation in CHANGELOG / SHIP_GATE / README; those were corrected in v1.2.0 alongside the runtime fix.
References
Summary
In
backpropagate >= 1.1.0, the optional Reflex web UI (pip install backpropagate[ui], launched viabackprop ui) exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push.The CLI accepts two operator-facing flags intended as security controls:
--auth user:pass— documented as "require HTTP Basic authentication on every request to the UI."--share— documented as "expose the UI on a public address; requires--auth."When
--auth user:passis passed, the CLI printsAuth: enabled (user: <username>)to confirm to the operator that authentication is active, then exportsBACKPROPAGATE_UI_AUTH=user:passto the subprocess that launches the Reflex backend.The Reflex backend (
backpropagate/ui_app/**) never readsBACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether--shareis used — has full UI access.An inline comment at
backpropagate/cli.py:1217-1218in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced.This advisory is filed primarily because the runtime contradicted an operator-facing security claim. Code-only bugs of comparable shape (auth check missing entirely from a path) would already warrant disclosure; the additional false-promise dimension raises the severity.
Impact
An attacker who reaches the bound port can:
rx.uploadendpoint (no size cap, no extension filter, no per-session count cap in v1.1.0 / v1.1.1).source_model_path,dataset_path,model,uploaded_path) which are user-supplied and bypass thesafe_path()helper that lives inbackpropagate/ui_security.py(path validation is dead code on the Reflex surface in v1.1.0 / v1.1.1).The combination of unauthenticated training control, HF push target spoofing, and path-input traversal makes the affected endpoint suitable for both data exfiltration (reading uploaded training data) and supply-chain attacks (pushing tampered model weights to the operator's HF account).
The local-only default (no
--share) reduces exposure to a host-local attacker. The--shareflag is documented as a "public URL" feature; operators who used--share --auth user:passhad no warning that the auth half was inert.Patches
Fixed in v1.2.0 (released 2026-05-23). The patch implements real ASGI middleware via
rx.App(api_transformer=basic_auth_transformer)that gates HTTP routes AND the/_eventWebSocket upgrade. Four modes (no_auth_local_only/token_auto/explicit_creds/production), HMAC-signed cookie validated PRE-websocket.accept(), Host + Origin allowlists. The middleware ships alongside a 4-layer defense in depth at the cli.py / ui_app/app.py / rxconfig.py / env-strip surfaces so directpython -m reflex runinvocations (bypassing the CLI guard) also enforce authentication.Upgrade with:
pip install --upgrade backpropagatenpm install -g @mcptoolshop/backpropagate@latestFull release notes: https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23
Workarounds
If users cannot upgrade immediately:
--author--sharetobackprop ui. Run the UI with no flags (backprop ui); it will bind tolocalhostand accept any client that can reach127.0.0.1.--share: SSH provides the authentication layer the Reflex UI did not.backpropagate >= 1.1.0has previously been launched with--share, treat any uploaded training data, model paths, or HF push targets visible in that UI session as potentially exposed. Re-issue HF tokens that have been in use during such sessions.Binary distribution gap. Standalone binaries (Windows .exe / macOS .app via PyInstaller) failed to build for v1.2.0 and will land in a follow-up patch release. In the interim, users who relied on the v1.1.x binary distribution should install the patched version via
pip install backpropagate==1.2.0to receive the auth-bypass fix. The v1.2.0 PyPI package and@mcptoolshop/backpropagate@1.2.0npm package both carry the patched code.Credit
Discovered by the dogfood-swarm Stage A audit on 2026-05-22 (finding ID
FRONTEND-A-001, classified CRITICAL). The audit also surfaced contradicting documentation in CHANGELOG / SHIP_GATE / README; those were corrected in v1.2.0 alongside the runtime fix.References