AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-12537 | Open-WebUI: unauthenticated DoS via code formatter | open-webui | 7.5 |
| MEDIUM | CVE-2024-7045 | open-webui: missing authz exposes admin prompts | open-webui | 4.3 |
| MEDIUM | CVE-2024-7044 | Open WebUI: Stored XSS via file upload, session hijack | open-webui | 6.8 |
| HIGH | CVE-2024-7043 | Open WebUI: auth bypass exposes all user files | open-webui | 8.1 |
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2025-0628 | litellm: privilege escalation viewer→proxy admin via bad API key | litellm | 8.1 |
| HIGH | CVE-2025-0330 | LiteLLM: Langfuse API key leak via error handling | litellm | 7.5 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| MEDIUM | CVE-2024-53526 | Composio: command injection in AI agent tool calls | composio-openai | 6.4 |
| MEDIUM | CVE-2024-6581 | Lollms: SVG upload XSS enables session hijack and RCE | lollms | 6.5 |
| MEDIUM | GHSA-26jh-r8g2-6fpr | Gradio: Dropdown validation bypass enables arbitrary input | gradio | 5.3 |
| MEDIUM | CVE-2024-7041 | open-webui: IDOR enables cross-user memory tampering | open-webui | 6.5 |
| UNKNOWN | CVE-2026-34046 | Langflow: IDOR exposes flows and plaintext API keys | langflow | - |
| CRITICAL | CVE-2026-33663 | n8n: member role steals plaintext HTTP credentials | n8n | 10.0 |
| MEDIUM | CVE-2026-33720 | n8n: OAuth state forgery hijacks user credentials | n8n | 4.2 |
| MEDIUM | CVE-2026-33722 | n8n: secrets vault bypass exposes credentials to low-priv users | n8n | 5.3 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| HIGH | CVE-2026-28788 | Open WebUI: BOLA enables RAG poisoning via file overwrite | open-webui | 7.1 |
| MEDIUM | CVE-2026-28786 | Open WebUI: path traversal leaks server filesystem path | open-webui | 4.3 |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | - |