API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-35670 | OpenClaw: webhook rebinding exposes user data | OpenClaw | 5.9 |
| MEDIUM | CVE-2026-52816 | Gogs: XSS via data URI in ipynb sanitizer endpoint | gogs.io/gogs | - |
| LOW | CVE-2026-55542 | Snipe-IT: auth bypass exposes S3 signature image URLs | snipe/snipe-it | - |
| HIGH | CVE-2026-7574 | Claude Desktop: VM integrity bypass enables RCE | Claude Desktop Cowork | 8.7 |
| UNKNOWN | CVE-2026-50709 | Frappe Framework: Stored XSS in Notifications Events panel | - | |
| MEDIUM | CVE-2026-54033 | LibreChat: SSRF via custom API baseURL exposes internal network | 6.5 | |
| MEDIUM | CVE-2026-11703 | wolfSSL: TLS session resumption skips SNI/ALPN check | - | |
| CRITICAL | CVE-2025-71334 | Flowise: path traversal → RCE via missing UUID validation | Flowise | 9.8 |
| MEDIUM | CVE-2026-9699 | Mattermost: OpenAI API key leaks into logs on auth errors | 6.8 | |
| HIGH | CVE-2026-13484 | MLflow: missing authz in label schema CRUD API | 8.8 | |
| MEDIUM | CVE-2026-49835 | Sigstore TSA: unbounded metrics label DoS | github.com/sigstore/timestamp-authority | 5.9 |
| HIGH | CVE-2026-10129 | Langflow: SSRF protection bypass via redirect | langflow | 8.5 |
| CRITICAL | CVE-2026-10140 | Langflow: cross-tenant API credential leak via cache bug | langflow | 9.6 |
| CRITICAL | CVE-2026-7874 | Langflow: weak reversible KDF exposes all stored credentials | langflow | 9.1 |
| UNKNOWN | CVE-2026-56277 | Flowise: wildcard CORS on TTS endpoint abuses creds | Flowise | - |
| MEDIUM | CVE-2026-56399 | Open WebUI: SSRF in web retrieval hits internal services | open-webui | 5.0 |
| CRITICAL | CVE-2026-23537 | Feast: unauth file write to RCE via /save-document | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 9.1 |
| MEDIUM | CVE-2026-49088 | Kibana: sensitive headers leaked via APM logs | 4.4 | |
| UNKNOWN | CVE-2026-8147 | MLflow: auth bypass allows cross-experiment trace access | mlflow/mlflow | - |
| HIGH | CVE-2025-69134 | OpenAI Chatbot WP Helper: unauth content deletion | OpenAI Chatbot for WordPress – Helper | 7.5 |