AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-2492 | TensorFlow: security flaw enables exploitation | - | |
| CRITICAL | CVE-2026-28451 | OpenClaw: SSRF via Feishu extension exposes internal services | openclaw | 9.3 |
| CRITICAL | CVE-2026-2635 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| MEDIUM | CVE-2026-28415 | gradio: Info Disclosure leaks sensitive data | gradio | 4.7 |
| HIGH | CVE-2026-30820 | Flowise: header spoof auth bypass exposes admin API & creds | flowise | 8.8 |
| UNKNOWN | CVE-2026-30822 | Flowise: mass assignment allows unauthenticated DB injection | flowise | - |
| UNKNOWN | CVE-2026-30823 | Flowise: IDOR enables account takeover and SSO bypass | flowise | - |
| CRITICAL | CVE-2026-30824 | Flowise: auth bypass exposes NVIDIA NIM container endpoints | flowise | 9.8 |
| HIGH | CVE-2026-31829 | Flowise: SSRF via HTTP Node exposes internal network | flowise-components | 8.8 |
| MEDIUM | CVE-2025-12343 | ffmpeg: security flaw enables exploitation | 5.5 | |
| CRITICAL | CVE-2024-35198 | TorchServe: URL bypass enables arbitrary model loading | torchserve | 9.8 |
| HIGH | CVE-2024-35199 | TorchServe: default gRPC exposure allows unauth inference | torchserve | 8.2 |
| MEDIUM | CVE-2025-46148 | PyTorch: PairwiseDistance silent miscalculation, integrity risk | pytorch | 5.3 |
| CRITICAL | CVE-2023-44467 | LangChain: RCE bypass via __import__ in PAL chain | langchain_experimental | 9.8 |
| HIGH | CVE-2023-46229 | LangChain: SSRF in URL loader exposes internal network | langchain | 8.8 |
| HIGH | CVE-2024-3095 | LangChain: SSRF in Web Retriever exposes cloud metadata | langchain | 7.7 |
| CRITICAL | CVE-2025-2828 | LangChain RequestsToolkit: SSRF exposes cloud metadata | langchain | 10.0 |
| CRITICAL | CVE-2025-45150 | ChatGLM-Webui: arbitrary file read, no auth required | langchain-chatglm-webui | 9.8 |
| HIGH | CVE-2025-8709 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| MEDIUM | CVE-2023-1651 | AI ChatBot WP: auth bypass exposes OpenAI config + XSS | wpbot | 5.4 |
Page 1 of 28