CVE-2023-3686 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

CVE-2023-3686 is a CVSS 9.8 unauthenticated SQL injection in QuickAI OpenAI 3.8.1, exploitable with a single crafted GET request against the blog search endpoint. The database almost certainly contains stored OpenAI API keys, user credentials, and application data — any internet-exposed instance should be treated as fully compromised. Take deployments offline immediately; no vendor patch exists and the vendor has not responded to disclosure.

Risk Assessment

Exploitability is maximum: network-accessible, zero complexity, no authentication, no user interaction required. The threat is compounded in AI context because the database stores OpenAI API keys, which once exfiltrated enable unauthorized LLM usage billed to the victim. QuickAI is a commercial SaaS template sold to non-technical operators who are unlikely to monitor for exploitation or apply workarounds. Active exploitation probability is high given trivial attack complexity and public VulnDB disclosure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
quickai_openai	pip	—	No patch
30.7K OpenSSF 5.6 13.6K dependents Pushed 7d ago 0% patched Full package profile →

Do you use quickai_openai? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) Block public access to /blog endpoint immediately or take the application offline — no official patch is available from the vendor. 2) Deploy WAF rules filtering SQL injection patterns (UNION, SELECT, sleep(), etc.) in GET parameter 's'. 3) Rotate all OpenAI API keys stored in the application database; revoke old keys in the OpenAI console and audit usage logs for anomalous consumption. 4) Audit web server access logs for /blog?s= requests containing SQL keywords to detect prior exploitation. 5) Review all exposed user credentials for credential-stuffing risk against other services. 6) If patch becomes available, upgrade and verify parameterized queries are used throughout the codebase.

Classification

Data Extraction Auth Bypass API AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk Management System

ISO 42001

A.6.2 - AI System Security

NIST AI RMF

MANAGE-2.2 - Risk Treatment and Residual Risk Management

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-3686?

CVE-2023-3686 is a CVSS 9.8 unauthenticated SQL injection in QuickAI OpenAI 3.8.1, exploitable with a single crafted GET request against the blog search endpoint. The database almost certainly contains stored OpenAI API keys, user credentials, and application data — any internet-exposed instance should be treated as fully compromised. Take deployments offline immediately; no vendor patch exists and the vendor has not responded to disclosure.

Is CVE-2023-3686 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-3686, increasing the risk of exploitation.

How to fix CVE-2023-3686?

1) Block public access to /blog endpoint immediately or take the application offline — no official patch is available from the vendor. 2) Deploy WAF rules filtering SQL injection patterns (UNION, SELECT, sleep(), etc.) in GET parameter 's'. 3) Rotate all OpenAI API keys stored in the application database; revoke old keys in the OpenAI console and audit usage logs for anomalous consumption. 4) Audit web server access logs for /blog?s= requests containing SQL keywords to detect prior exploitation. 5) Review all exposed user credentials for credential-stuffing risk against other services. 6) If patch becomes available, upgrade and verify parameterized queries are used throughout the codebase.

What systems are affected by CVE-2023-3686?

This vulnerability affects the following AI/ML architecture patterns: LLM API integrations, AI-powered web applications, Content generation platforms.

What is the CVSS score for CVE-2023-3686?

CVE-2023-3686 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

A vulnerability was found in Bylancer QuickAI OpenAI 3.8.1. It has been declared as critical. This vulnerability affects unknown code of the file /blog of the component GET Parameter Handler. The manipulation of the argument s leads to sql injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-234232. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker scans the internet for QuickAI deployments (identifiable via HTTP response headers or UI fingerprinting) and sends a single GET request: GET /blog?s=1'+UNION+SELECT+username,password,api_key,NULL+FROM+users-- with no authentication. Within seconds, the response leaks all user credentials and OpenAI API keys stored in the database. The attacker immediately uses the harvested OpenAI API key to spin up high-volume LLM requests for their own operations at the victim's expense, then pivots to exfiltrate all user PII for sale or further attacks. Total time to full compromise: under five minutes using sqlmap or manual injection.