AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-38896 | LangChain: RCE via unsandboxed LLM code execution | langchain | 9.8 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| CRITICAL | CVE-2024-7042 | LangChainJS: prompt injection enables full graph DB takeover | langchain | 9.8 |
| MEDIUM | CVE-2025-6854 | Langchain-Chatchat: path traversal in file API exposes host FS | langchain-chatchat | 4.3 |
| CRITICAL | CVE-2025-45150 | ChatGLM-Webui: arbitrary file read, no auth required | langchain-chatglm-webui | 9.8 |
| MEDIUM | CVE-2023-1651 | AI ChatBot WP: auth bypass exposes OpenAI config + XSS | wpbot | 5.4 |
| CRITICAL | CVE-2023-3686 | QuickAI: unauthenticated SQLi exposes OpenAI API keys | quickai_openai | 9.8 |
| HIGH | CVE-2024-34527 | SolidUI: OpenAI API key exposed via log print statement | 7.5 | |
| MEDIUM | CVE-2024-0451 | wpbot: missing auth exposes OpenAI account files | wpbot | 5.0 |
| HIGH | CVE-2024-0452 | WordPress AI ChatBot: auth bypass enables OpenAI file upload | wpbot | 7.7 |
| HIGH | CVE-2024-0453 | WordPress ChatBot: missing authz deletes OpenAI files | wpbot | 7.7 |
| MEDIUM | CVE-2024-4858 | WP Testimonial Carousel: OpenAI API key hijack, no auth | 5.3 | |
| LOW | CVE-2024-40594 | ChatGPT macOS: cleartext conversation storage exposed | 2.3 | |
| HIGH | CVE-2024-6587 | LiteLLM: SSRF leaks OpenAI API key to attacker | litellm | 7.5 |
| MEDIUM | CVE-2024-6845 | ChatGPT WP Plugin: OpenAI API key leak via unauth REST | 5.3 | |
| HIGH | CVE-2024-7714 | AYS ChatGPT WP Plugin: auth bypass disables AI service | 7.5 | |
| CRITICAL | CVE-2024-52384 | Sage AI Plugin: unrestricted upload → web shell RCE | 9.9 | |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| MEDIUM | CVE-2024-11896 | WP Text Prompter: Stored XSS in OpenAI shortcode plugin | 6.4 | |
| UNKNOWN | CVE-2024-56516 | free-one-api: MD5 hashing allows credential cracking | - |