AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2025-61620 | vllm: DoS via Jinja template injection in chat API | vllm | 6.5 |
| MEDIUM | CVE-2026-33401 | Wallos: SSRF allows internal network access | 6.5 | |
| HIGH | CVE-2024-7036 | open-webui: unauthenticated DoS disables Admin panel | open-webui | 7.5 |
| MEDIUM | GHSA-hf3c-wxg2-49q9 | vLLM: DoS via unbounded XGrammar schema cache | vllm | 6.5 |
| HIGH | CVE-2024-8984 | litellm: unauthenticated DoS via multipart boundary parsing | litellm | 7.5 |
| HIGH | CVE-2024-6982 | lollms: RCE via eval() sandbox bypass in Calculate | lollms | 8.4 |
| MEDIUM | CVE-2024-7035 | Open WebUI: CSRF wipes RAG DB and AI memories via GET | open-webui | 6.9 |
| HIGH | CVE-2024-8020 | pytorch-lightning: unauthenticated DoS crashes LightningApp | pytorch-lightning | 7.5 |
| HIGH | CVE-2024-7990 | open-webui: Stored XSS enables admin session hijack | open-webui | 8.4 |
| HIGH | CVE-2024-8060 | OpenWebUI: path traversal RCE via audio upload API | open-webui | 8.1 |
| HIGH | CVE-2024-8053 | Open-WebUI: unauthenticated PDF endpoint enables DoS | open-webui | 7.5 |
| HIGH | CVE-2024-7983 | open-webui: unauthenticated DoS via markdown parser | open-webui | 7.5 |
| HIGH | CVE-2024-7806 | Open-WebUI: CSRF enables RCE via pipeline code injection | open-webui | 8.0 |
| HIGH | GHSA-6wj5-5pgr-jwq8 | open-webui: DoS via malformed multipart boundary | open-webui | 7.5 |
| HIGH | GHSA-w466-2wfc-8g58 | open-webui: DoS via starlette memory exhaustion | open-webui | 7.5 |
| HIGH | CVE-2024-7053 | open-webui: XSS enables admin session hijack via chat | open-webui | 7.6 |
| MEDIUM | CVE-2024-7046 | Open WebUI: missing authz leaks admin credentials | open-webui | 4.3 |
| HIGH | CVE-2024-12534 | open-webui: unauthenticated DoS via login payload flood | open-webui | 7.5 |
| MEDIUM | CVE-2024-7034 | open-webui: path traversal allows arbitrary file write/RCE | open-webui | 6.5 |
| HIGH | CVE-2024-7039 | open-webui: Privilege bypass enables admin account deletion | open-webui | 8.3 |