AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-8372-7vhw-cm6q | openclaw: config redaction bypass exposes provider API keys | openclaw | - |
| HIGH | GHSA-5fw2-mwhh-9947 | Flowise: unauth TTS endpoint exposes stored AI API keys | flowise | - |
| HIGH | GHSA-w47f-j8rh-wx87 | Flowise: credential exposure via public chatflow API | flowise | - |
| LOW | CVE-2026-6597 | langflow: Plaintext credential storage via Flow API | langflow | 2.7 |
| MEDIUM | CVE-2026-6608 | FastChat: control flow flaw corrupts arena comparison | fschat | 5.3 |
| MEDIUM | CVE-2026-41495 | n8n-mcp: bearer tokens exposed in HTTP transport logs | n8n-mcp | 5.3 |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| MEDIUM | CVE-2026-6393 | BetterDocs: Auth bypass drains OpenAI API quota | 4.3 | |
| CRITICAL | GHSA-r75f-5x8p-qvmc | litellm: SQLi exposes all managed LLM API credentials | litellm | - |
| HIGH | GHSA-xqmj-j6mv-4862 | LiteLLM: RCE via unsandboxed prompt template rendering | litellm | - |
| HIGH | GHSA-v4p8-mg3p-g94g | litellm: RCE via MCP test endpoints privilege bypass | litellm | - |
| MEDIUM | GHSA-h2vw-ph2c-jvwf | OpenClaw: env injection exposes MiniMax API key | openclaw | - |
| LOW | GHSA-v8qf-fr4g-28p2 | OpenClaw: auth scope bypass exposes assistant-media files | openclaw | - |
| UNKNOWN | CVE-2026-41686 | @anthropic-ai/sdk: insecure file perms expose agent memory | @anthropic-ai/sdk | - |
| UNKNOWN | CVE-2026-42226 | n8n: IDOR exposes cross-user API key exfiltration | n8n | - |
| UNKNOWN | CVE-2026-42227 | n8n: IDOR leaks cross-project variables via API key | n8n | - |
| UNKNOWN | CVE-2026-42230 | n8n: MCP OAuth open redirect enables phishing | n8n | - |
| MEDIUM | GHSA-93rg-2xm5-2p9v | openclaw: auth bypass exposes Gateway bootstrap config | openclaw | - |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |