API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-54236 | vLLM: heap address leak enables ASLR bypass | vllm | 5.3 |
| CRITICAL | CVE-2026-35304 | Oracle Coherence: unauthenticated HTTPS takeover | coherence | 9.8 |
| CRITICAL | CVE-2026-35305 | Oracle Coherence: unauth data exfiltration via bundled libs | coherence | 9.3 |
| CRITICAL | CVE-2026-35306 | Oracle Coherence: unauthenticated data access via HTTP | coherence | 9.3 |
| CRITICAL | CVE-2026-35307 | Oracle Coherence: unauthenticated RCE, CVSS 10.0 | coherence | 10.0 |
| CRITICAL | CVE-2026-35308 | Oracle Coherence: unauthenticated RCE via third-party jars | coherence | 10.0 |
| CRITICAL | CVE-2026-35309 | Oracle Coherence: unauthenticated RCE via HTTP (CVSS 9.8) | coherence | 9.8 |
| CRITICAL | CVE-2026-35310 | Oracle Coherence: unauthenticated HTTP full takeover | coherence | 9.8 |
| MEDIUM | CVE-2026-54022 | open-webui: Yjs auth bypass exposes all user notes | open-webui | 5.3 |
| MEDIUM | CVE-2026-54021 | open-webui: auth bypass reaches restricted Ollama backends | open-webui | 6.3 |
| HIGH | GHSA-8ccj-p46r-jwqq | PraisonAI: auth bypass exposes full agent invocation API | praisonai | 8.2 |
| HIGH | GHSA-jxcw-qp4h-6jfq | praisonai: incomplete auth fix exposes A2U agent streams | praisonai | 7.5 |
| CRITICAL | GHSA-892r-p3jq-jp24 | PraisonAI AgentOS: unauth remote agent invocation (CVSS 9.8) | praisonai | 9.8 |
| CRITICAL | GHSA-fq2m-6wqh-x44g | praisonai: unauthenticated Jobs API enables remote agent RCE | praisonai | 9.8 |
| CRITICAL | GHSA-j4f3-55x4-r6q2 | praisonai: MCP HTTP server unauthenticated tool invocation | praisonai | 9.8 |
| CRITICAL | GHSA-9752-mhqh-h34f | praisonai npm: AgentOS missing auth enables agent abuse | praisonai | 9.4 |
| UNKNOWN | CVE-2026-54003 | Kirby CMS: admin takeover via reverse proxy header bypass | getkirby/cms | - |
| HIGH | CVE-2026-54002 | Kirby CMS: stored XSS bypasses DOM sanitizer via unwrap flaw | getkirby/cms | - |
| MEDIUM | CVE-2026-50188 | Kirby CMS: CRLF injection overrides outbound HTTP headers | getkirby/cms | - |
| HIGH | GHSA-fq4x-789w-jg5h | agenticmail: email prompt injection → bypassPermissions RCE | @agenticmail/openclaw | - |