AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-69x8-hrgq-fjj8 | LiteLLM: auth bypass chain enables full privilege escalation | litellm | - |
| MEDIUM | CVE-2026-39411 | LobeChat: auth bypass via forged XOR obfuscated header | @lobehub/lobehub | 5.0 |
| MEDIUM | CVE-2026-5803 | openai-realtime-ui: SSRF in API proxy endpoint | 6.3 | |
| MEDIUM | CVE-2026-1163 | lollms: sessions persist after password reset | lollms | 4.1 |
| HIGH | CVE-2026-40116 | PraisonAI: unauth WebSocket drains OpenAI API credits | praisonai | 7.5 |
| HIGH | CVE-2026-40217 | LiteLLM: RCE via bytecode rewriting in guardrails API | litellm | 8.8 |
| HIGH | CVE-2026-40114 | PraisonAI: unauthenticated SSRF via unvalidated webhook_url | PraisonAI | 7.2 |
| MEDIUM | CVE-2026-40151 | PraisonAI: unauthenticated agent config and system prompt disclosure | PraisonAI | 5.3 |
| MEDIUM | CVE-2026-35657 | openclaw: auth bypass exposes agent session history via HTTP | openclaw | - |
| CRITICAL | CVE-2026-1115 | lollms: Stored XSS enables wormable account takeover | lollms | 9.6 |
| MEDIUM | CVE-2026-40086 | rembg: path traversal exposes arbitrary files via HTTP API | rembg | 5.3 |
| LOW | GHSA-r7w7-9xr2-qq2r | langchain-openai: SSRF DNS rebinding, blind network probe | langchain-openai | 3.1 |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | - |
| HIGH | GHSA-4jpm-cgx2-8h37 | Flowise: unauth API exposes plaintext API keys and tokens | flowise | - |
| HIGH | GHSA-48m6-ch88-55mj | Flowise: Mass Assignment allows cross-tenant org takeover | flowise | 8.1 |
| MEDIUM | GHSA-m7mq-85xj-9x33 | Flowise: hardcoded default key enables JWT token forgery | flowise | 5.6 |
| MEDIUM | GHSA-6pcv-j4jx-m4vx | Flowise: unauthenticated SSO config exposes OAuth secrets | flowise | 5.3 |
| HIGH | GHSA-xmxx-7p24-h892 | OpenClaw: stale bearer token survives SecretRef rotation | openclaw | - |
| LOW | GHSA-gc9r-867r-j85f | openclaw: auth bypass in Teams SSO invoke handler | openclaw | - |