AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| HIGH | CVE-2026-44567 | Open WebUI: auth bypass gives pending users full LLM access | open-webui | 7.3 |
| HIGH | CVE-2026-44549 | open-webui: XSS via XLSX preview enables session hijack | open-webui | 7.3 |
| MEDIUM | CVE-2026-44560 | open-webui: RAG auth bypass exposes private files | open-webui | 6.5 |
| MEDIUM | CVE-2026-44561 | open-webui: auth bypass exposes private group channels | open-webui | 5.4 |
| MEDIUM | CVE-2026-44564 | open-webui: auth bypass in collaborative doc editing | open-webui | 5.4 |
| HIGH | CVE-2026-44570 | open-webui: IDOR exposes cross-user AI memory data | open-webui | 8.3 |
| MEDIUM | CVE-2026-44571 | open-webui: auth bypass allows message tampering | open-webui | 6.5 |
| HIGH | CVE-2026-44569 | Open WebUI: IDOR enables cross-user message tampering | open-webui | 7.1 |
| MEDIUM | CVE-2026-43979 | local-deep-research: HTML injection enables SSRF via WeasyPrint | local-deep-research | 5.0 |
| HIGH | CVE-2026-45134 | LangSmith: prompt deserialization enables SSRF + data leak | langchain | 7.1 |
| HIGH | GHSA-7g73-99r4-m4mj | Flowise: credential data leak via filtered API endpoint | flowise | - |
| HIGH | CVE-2026-45732 | n8n: OAuth token hijack via credential permission bypass | n8n | - |
| HIGH | CVE-2026-45675 | Open WebUI: TOCTOU race grants admin on first OAuth/LDAP | open-webui | 8.1 |
| MEDIUM | CVE-2026-45667 | open-webui: unauth endpoint drains embedding budget/DoS | open-webui | 6.5 |
| MEDIUM | CVE-2026-45666 | open-webui: IDOR exposes cross-user note data | open-webui | 6.5 |
| HIGH | GHSA-3wgj-c2hg-vm6q | open-webui: XSS via OAuth SVG picture → account takeover | open-webui | 7.3 |
| HIGH | CVE-2026-45399 | Open WebUI: task auth bypass enables cross-user DoS | open-webui | 7.1 |
| HIGH | CVE-2026-45398 | open-webui: IDOR exposes private RAG knowledge bases | open-webui | 7.5 |
| MEDIUM | CVE-2026-45387 | open-webui: system prompt leakage via model read API | open-webui | 4.3 |