AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-21893 | n8n: Input Validation flaw enables exploitation | n8n | 7.2 |
| MEDIUM | CVE-2026-25631 | n8n: Input Validation flaw enables exploitation | n8n | 6.5 |
| HIGH | CVE-2024-4888 | litellm: arbitrary file deletion via audio endpoint | litellm | 8.1 |
| HIGH | CVE-2024-10188 | litellm: unauthenticated DoS crashes LLM proxy server | litellm | 7.5 |
| MEDIUM | CVE-2025-45809 | LiteLLM: SQL injection in key management API | litellm | 5.4 |
| UNKNOWN | CVE-2025-11203 | LiteLLM: Info Disclosure leaks sensitive data | - | |
| MEDIUM | CVE-2026-30886 | AI component: IDOR enables unauthorized data access | 6.5 | |
| HIGH | CVE-2026-33484 | langflow: Access Control bypass enables privilege escalation | langflow | 7.5 |
| HIGH | CVE-2026-27826 | mcp-atlassian: SSRF allows internal network access | mcp-atlassian | 8.2 |
| HIGH | GHSA-5r2p-pjr8-7fh7 | sagemaker: Allowlist Bypass evades input filtering | sagemaker | - |
| HIGH | CVE-2026-2472 | google-cloud-aiplatform: XSS enables session hijacking | google-cloud-aiplatform | - |
| HIGH | CVE-2026-1117 | lollms: Access Control bypass enables privilege escalation | lollms | 8.2 |
| HIGH | CVE-2026-22219 | chainlit: SSRF allows internal network access | chainlit | 7.7 |
| HIGH | CVE-2026-22033 | label-studio: XSS enables session hijacking | label-studio | - |
| MEDIUM | CVE-2025-67743 | local-deep-research: SSRF allows internal network access | local-deep-research | 6.3 |
| LOW | CVE-2025-63681 | open-webui: Access Control bypass enables privilege escalation | open-webui | - |
| HIGH | CVE-2025-65958 | open-webui: SSRF allows internal network access | open-webui | 8.5 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| HIGH | CVE-2025-64495 | Open WebUI: XSS-to-RCE via malicious prompt injection | open-webui | 8.7 |
| LOW | CVE-2025-50736 | pdf2zh: security flaw enables exploitation | pdf2zh | - |