AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-45386 | open-webui: auth bypass lets read-only users pin messages | open-webui | 4.3 |
| MEDIUM | CVE-2026-45385 | Open WebUI: IDOR lets members tamper with admin messages | open-webui | 4.3 |
| MEDIUM | CVE-2026-45365 | open-webui: auth bypass exposes admin-restricted models | open-webui | 5.4 |
| MEDIUM | CVE-2026-45351 | Open WebUI: admin system prompts exposed to all users | open-webui | 6.5 |
| HIGH | CVE-2026-45349 | open-webui: auth bypass exposes all user chat histories | open-webui | 7.1 |
| MEDIUM | CVE-2026-45347 | Open WebUI: blind SSRF via PDF export HTML injection | open-webui | 4.3 |
| MEDIUM | CVE-2026-45345 | open-webui: IDOR allows unauthorized model modification | open-webui | 6.5 |
| MEDIUM | CVE-2026-45339 | Open WebUI: API key restriction bypass via header swap | open-webu | 6.5 |
| HIGH | CVE-2026-45338 | open-webui: SSRF via OAuth picture claim leaks internal data | open-webui | 7.7 |
| HIGH | CVE-2026-45331 | open-webui: SSRF bypass exposes cloud IAM credentials | open-webui | 8.5 |
| MEDIUM | CVE-2026-45318 | open-webui: Stored XSS via Office file preview bypass | open-webui | 5.4 |
| LOW | CVE-2026-45316 | Open WebUI: read users can modify note pin state | open-webui | 3.5 |
| HIGH | CVE-2026-45314 | Open WebUI: Stored XSS via webhook SVG profile image | open-webui | - |
| HIGH | CVE-2026-45315 | open-webui: stored XSS → JWT theft and admin takeover | open-webui | 8.7 |
| HIGH | CVE-2026-45303 | Open WebUI: XSS iframe allows auth token exfiltration | open-webui | 7.7 |
| HIGH | CVE-2026-45301 | open-webui: BOLA exposes all users' uploaded files | open-webui | 8.1 |
| MEDIUM | CVE-2026-45299 | open-webui: Stored SVG XSS enables admin JWT theft | open-webui | 5.4 |
| HIGH | CVE-2026-45665 | open-webui: Stored XSS enables Super Admin session hijack | open-webui | 8.1 |
| CRITICAL | GHSA-wx9m-wx4f-4cmg | mistralai 2.4.6: supply chain dropper executes on import | mistralai | 9.6 |
| LOW | GHSA-jgg6-4rpr-wfh7 | Mistral npm SDK: supply chain attack, no impact | @mistralai/mistralai-azure | - |