## SmartEM Backend Exposes Sensitive Microscopy Data and System Control via Unsecured Debug Endpoints
A critical API vulnerability in the SmartEM backend system exposes sensitive internal state and grants unauthorized write access, posing a direct threat to proprietary scientific research and system integrity. Multiple debug endpoints operate without any authentication or authorization controls, allowing both the disclosure of confidential experimental data and the manipulation of active microscopy sessions. This flaw, rated with Medium-High severity, enables an attacker with network access to enumerate active sessions, extract experimental parameters and protocols, and view real-time connection topology.

The vulnerability is located in `src/smartem_backend/api_server.py` between lines 1532 and 1766. Specific endpoints like `/debug/agent-connections` reveal all active agent connection details, while `/debug/session/{session_id}/instructions` exposes complete instruction payloads. The exposed data includes agent connections, session data, experimental parameters, and instruction payloads. The risk is compounded by the endpoints permitting write operations, allowing an attacker to create or close sessions and potentially inject malicious instructions to manipulate the system.

This information disclosure creates significant risk for scientific institutions using the platform, as it could lead to the theft of unpublished research protocols and experimental data. The ability to manipulate system state raises the possibility of sabotaging active microscopy sessions, corrupting data collection, or disrupting laboratory workflows. The flaw underscores a critical failure in segregating development tools from production environments, leaving core research infrastructure exposed to both data exfiltration and operational interference.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: API Vulnerability, Information Disclosure, Scientific Research, Cybersecurity, Debug Endpoints
- **Credibility**: unverified
- **Published**: 2026-04-21 16:22:50
- **ID**: 74530
- **URL**: https://whisperx.ai/en/intel/74530