API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-56778 | n8n: workflow:read scope triggers executions via API | n8n | 6.4 |
| UNKNOWN | CVE-2026-59821 | LiteLLM: code exec via unsandboxed Custom Guardrails | litellm | - |
| UNKNOWN | CVE-2026-59209 | n8n: editor-level access leaks credential headers | n8n | - |
| HIGH | CVE-2026-59224 | Open WebUI: terminal proxy allows user ID spoofing | open-webui | 8.0 |
| MEDIUM | CVE-2026-59853 | SiYuan: broken access control leaks private note data | 6.5 | |
| HIGH | CVE-2026-60091 | PraisonAI: SSRF via webhook_url DNS rebinding | praisonai | 7.2 |
| CRITICAL | CVE-2026-61444 | PraisonAI: code injection via f-string in deploy API | praisonai | 9.1 |
| CRITICAL | CVE-2026-54069 | SiYuan Note: chrome-extension origin auth bypass | github.com/siyuan-note/siyuan/kernel | - |
| HIGH | CVE-2026-54066 | SiYuan: /assets path traversal exposes API secrets | github.com/siyuan-note/siyuan/kernel | 7.5 |
Page 25 of 25