API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-54352 | Budibase: zip symlink bypass exposes all server secrets | @budibase/server | 9.6 |
| HIGH | CVE-2026-50132 | Budibase: account hijack via chat identity CSRF | 7.3 | |
| HIGH | CVE-2026-52798 | Gogs: Stored XSS via .ipynb Markdown re-render bypass | gogs.io/gogs | 8.9 |
| HIGH | CVE-2026-55409 | Filament: stored XSS in disabled RichEditor field | 7.6 | |
| HIGH | CVE-2026-56268 | Flowise: cross-workspace chatflow config disclosure | Flowise | 7.7 |
| MEDIUM | CVE-2026-22174 | OpenClaw: local token leak via CDP probe hijack | OpenClaw | 6.8 |
| HIGH | CVE-2026-32034 | OpenClaw: auth bypass enables high-privilege agent control | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-32045 | OpenClaw: auth bypass exposes HTTP gateway routes | OpenClaw | 5.9 |
| HIGH | CVE-2026-32042 | OpenClaw: privilege escalation via unpaired device identity | OpenClaw | 8.8 |
| LOW | CVE-2026-32897 | OpenClaw: auth token leak via prompt hash fallback | OpenClaw | 3.7 |
| CRITICAL | CVE-2026-32913 | OpenClaw: auth header leak via cross-origin redirect | OpenClaw | 9.3 |
| MEDIUM | CVE-2026-33576 | OpenClaw: pre-auth media fetch enables disk exhaustion DoS | OpenClaw | 6.5 |
| HIGH | CVE-2026-33575 | OpenClaw: gateway credential exposed in pairing setup codes | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-33580 | OpenClaw: webhook brute-force enables event forgery | OpenClaw | 6.5 |
| HIGH | CVE-2026-34504 | OpenClaw: SSRF in fal provider exposes internal services | OpenClaw | 8.3 |
| MEDIUM | CVE-2026-35619 | OpenClaw: auth bypass exposes AI gateway model metadata | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-35621 | OpenClaw: privilege escalation via scope bypass in allowlist | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35628 | OpenClaw: webhook brute-force bypasses AI agent auth | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35644 | OpenClaw: credential exposure via gateway channel URLs | OpenClaw | 6.5 |
| HIGH | CVE-2026-35639 | OpenClaw: scope bypass enables admin RCE via device pairing | OpenClaw | 8.8 |