AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | CVE-2026-7847 | Langchain-Chatchat: predictable file IDs leak uploaded files | langchain-chatchat | 2.6 |
| MEDIUM | CVE-2026-40934 | jupyter-server: auth cookie survives password reset | jupyter-server | 6.8 |
| HIGH | CVE-2026-40110 | Jupyter Server: CORS bypass via regex anchor omission | jupyter-server | - |
| MEDIUM | CVE-2025-61669 | jupyter-server: Open redirect enables credential phishing | jupyter-server | - |
| MEDIUM | CVE-2026-42045 | LobeChat: XSS-to-RCE via exposed Electron IPC | @lobehub/lobehub | 6.2 |
| HIGH | CVE-2026-33079 | mistune: ReDoS exposes Jupyter/AI services to DoS | mistune | - |
| HIGH | CVE-2026-42203 | LiteLLM: SSTI in prompt template endpoint enables RCE | litellm | 8.8 |
| CRITICAL | CVE-2026-42208 | LiteLLM: SQL injection exposes LLM API credentials | litellm | 9.8 |
| HIGH | CVE-2026-42271 | LiteLLM: RCE via MCP test endpoint command injection | litellm | 8.8 |
| MEDIUM | CVE-2026-44563 | open-webui: auth bypass exposes restricted LLM models | open-webui | 5.4 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| MEDIUM | CVE-2026-44559 | open-webui: private channel member list exposed to any user | open-webui | 4.3 |
| MEDIUM | CVE-2026-44557 | open-webui: auth bypass exposes all knowledge base metadata | open-webui | 4.3 |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| MEDIUM | CVE-2026-44558 | open-webui: permission bypass exposes channels publicly | open-webui | 5.4 |
| HIGH | CVE-2026-44556 | open-webui: auth bypass allows unrestricted model access | open-webui | 7.1 |
| HIGH | CVE-2026-44555 | open-webui: access control bypass via model chaining | open-webui | 7.6 |
| HIGH | CVE-2026-44553 | open-webui: stale Socket.IO role allows cross-user note R/W | open-webui | 8.1 |
| MEDIUM | CVE-2026-44550 | open-webui: mass assignment enables cross-user folder injection | open-webui | 5.0 |
| CRITICAL | CVE-2026-44551 | open-webui: LDAP auth bypass — full account takeover | open-webui | 9.1 |