API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-54683 | nl-portal documenten-api: IDOR exposes citizen documents | nl.nl-portal:documenten-api | 6.5 |
| HIGH | CVE-2026-56076 | PraisonAI: CORS bypass enables arbitrary agent execution | PraisonAI | 8.1 |
| MEDIUM | CVE-2026-55414 | nl-portal: GraphQL SSRF exposes Objecten-API auth token | nl.nl-portal:form | 5.3 |
| MEDIUM | CVE-2026-55375 | canto-saas-api: OAuth credentials logged via query params | jleehr/canto-saas-api | 5.3 |
| LOW | CVE-2026-49215 | Symfony LiveComponent: CSRF bypass via safelisted header | symfony/ux-live-component | - |
| MEDIUM | CVE-2026-49345 | Mercator: SSRF enables internal network RCE via gopher:// | - | |
| HIGH | CVE-2026-56340 | vLLM: sparse tensor DoS/memory corruption via embeddings | vllm | 7.5 |
| HIGH | CVE-2025-71379 | vLLM: ReDoS via crafted API input causes DoS | vllm | 7.5 |
| HIGH | CVE-2026-12770 | litellm: auth bypass in Admin Key Handler endpoint | litellm | 8.8 |
| HIGH | CVE-2026-12771 | litellm: JWT auth bypass in M2M proxy handler | litellm | 7.5 |
| MEDIUM | CVE-2026-12772 | litellm: session expiration bypass in proxy auth | litellm | 6.3 |
| MEDIUM | CVE-2026-12774 | litellm: SSRF in MCP server exposes cloud metadata | litellm | 6.3 |
| HIGH | CVE-2026-12773 | litellm: auth bypass in MCP proxy, no credentials required | litellm | 7.3 |
| HIGH | CVE-2026-12795 | litellm: auth bypass in SSO debug exposes LLM proxy | litellm | 7.3 |
| MEDIUM | CVE-2026-12797 | litellm: auth bypass in banned keywords enterprise hook | litellm | 6.3 |
| MEDIUM | CVE-2026-12799 | litellm: authorization bypass exposes user list | litellm | 4.3 |
| MEDIUM | CVE-2026-12796 | litellm: SSO session expiration allows auth persistence | litellm | 6.3 |
| HIGH | CVE-2026-9029 | Grafana: stored XSS in geomap bypasses CVE-2023-0507 fix | 7.3 | |
| HIGH | CVE-2026-10845 | WebSphere AS: JAX-WS auth bypass, unauthorized access | 7.3 | |
| HIGH | CVE-2026-54353 | Budibase: SSRF via DNS rebinding in automation steps | @budibase/backend-core | 8.5 |