API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-50027 | mcp-memory-service: auth bypass on document API | mcp-memory-service | 9.8 |
| MEDIUM | CVE-2026-58653 | PraisonAI: IDOR cross-tenant data pollution | praisonai | 4.3 |
| HIGH | GHSA-qjpc-qf9m-xwmr | OpenClaw: WebSocket scope bypass grants admin authority | openclaw | 8.8 |
| HIGH | GHSA-rggc-m335-3wvj | OpenClaw: forged identity headers bypass proxy auth | openclaw | - |
| HIGH | CVE-2026-45499 | Azure OpenAI: SSRF flaw enables privilege escalation | 8.8 | |
| HIGH | CVE-2026-33845 | GnuTLS: DTLS integer underflow enables OOB read/DoS | rhaiis/vllm-rocm-rhel9 | 7.5 |
| MEDIUM | CVE-2026-14898 | OpenAI Codex: prompt injection exfils data via images | 6.5 | |
| CRITICAL | GHSA-vjc7-jrh9-9j86 | 9Router: no-auth API leaks keys, chats, provider control | 9router | 10.0 |
| MEDIUM | CVE-2026-55438 | Coder: CORS bypass via workspace subdomain proxy | github.com/coder/coder/v2 | 5.8 |
| HIGH | CVE-2026-55436 | Coder AI Bridge Proxy: TLS bypass leaks BYOK keys | github.com/coder/coder/v2 | 7.4 |
| MEDIUM | CVE-2026-55435 | Coder AI Bridge: suspended user auth bypass | github.com/coder/coder/v2 | 5.4 |
| MEDIUM | CVE-2026-55434 | Coder: AI Bridge unbounded read enables DoS | github.com/coder/coder/v2 | 6.5 |
| MEDIUM | CVE-2026-55078 | Coder: zip decompression bomb crashes coderd (DoS) | github.com/coder/coder/v2 | 6.5 |
| MEDIUM | CVE-2026-55430 | Coder: X-Forwarded-Host spoof leaks victim app data | github.com/coder/coder/v2 | 5.8 |
| HIGH | CVE-2026-55429 | Coder: cross-workspace agent hijack via app ID reuse | github.com/coder/coder/v2 | 8.7 |
| HIGH | CVE-2026-55076 | Coder: OIDC type-confusion enables account takeover | github.com/coder/coder/v2 | 7.4 |
| MEDIUM | CVE-2026-34225 | open-webui: blind SSRF via image-edit URL fetch | open-webui | 4.3 |
| HIGH | CVE-2026-48957 | Joomla: fallo de control de acceso en com_privacy | 8.8 | |
| HIGH | CVE-2026-53518 | better-auth: race condition mints duplicate OAuth tokens | 8.1 | |
| CRITICAL | CVE-2026-59706 | mem0: unauth config API leaks API keys + SSRF | 9.3 |