Protect Your ClearML Workspaces: Critical CSRF Vulnerability Discovered

CVSScvssV3_1: 9.6

Allegro AI’s machine learning platform ClearML was found to have a serious security flaw that could allow hackers to take over user accounts.

The vulnerability, known as a cross-site request forgery (CSRF), allows malicious actors to execute commands and access private data on the ClearML servers without the user’s knowledge or consent. By tricking a logged-in user into following a link or submitting a form, an attacker could send unauthorized API requests that appear to come from the victim.

This could enable the theft of confidential machine learning projects, models, and datasets stored within a user’s ClearML workspaces. Sensitive information like hyperparameters, metrics, and even source code may be at risk of exposure.

CSRF flaws are common on websites that do not implement proper authentication checks for API requests. On ClearML, an attacker could craft a link or form that performs privileged actions like deleting files when the target clicks it while logged into the platform.

To protect yourself, ClearML users should log out of their accounts when not in active use. Enabling two-factor authentication is also recommended as an extra layer of security. And be wary of unsolicited links or emails asking you to access your ClearML workspaces until the developers have fully patched this vulnerability.