AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-7990 | open-webui: Stored XSS enables admin session hijack | open-webui | 8.4 |
| HIGH | CVE-2024-8053 | Open-WebUI: unauthenticated PDF endpoint enables DoS | open-webui | 7.5 |
| HIGH | CVE-2024-7983 | open-webui: unauthenticated DoS via markdown parser | open-webui | 7.5 |
| HIGH | CVE-2024-7806 | Open-WebUI: CSRF enables RCE via pipeline code injection | open-webui | 8.0 |
| MEDIUM | GHSA-564p-rx2q-4c8v | BentoML: open redirect exposes ML teams to phishing | bentoml | 6.1 |
| HIGH | CVE-2024-7053 | open-webui: XSS enables admin session hijack via chat | open-webui | 7.6 |
| MEDIUM | CVE-2024-7046 | Open WebUI: missing authz leaks admin credentials | open-webui | 4.3 |
| HIGH | CVE-2024-7039 | open-webui: Privilege bypass enables admin account deletion | open-webui | 8.3 |
| HIGH | CVE-2024-12537 | Open-WebUI: unauthenticated DoS via code formatter | open-webui | 7.5 |
| MEDIUM | CVE-2024-7045 | open-webui: missing authz exposes admin prompts | open-webui | 4.3 |
| MEDIUM | CVE-2024-7044 | Open WebUI: Stored XSS via file upload, session hijack | open-webui | 6.8 |
| HIGH | CVE-2024-7043 | Open WebUI: auth bypass exposes all user files | open-webui | 8.1 |
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2025-0628 | litellm: privilege escalation viewer→proxy admin via bad API key | litellm | 8.1 |
| HIGH | CVE-2025-0330 | LiteLLM: Langfuse API key leak via error handling | litellm | 7.5 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| CRITICAL | CVE-2023-25574 | JupyterHub LTI13: JWT forgery enables full auth bypass | jupyterhub-ltiauthenticator | 10.0 |
| HIGH | CVE-2025-25297 | Label Studio: SSRF via S3 endpoint exposes internal services | label-studio | 8.6 |
| HIGH | CVE-2025-23205 | nbgrader: Clickjacking exposes formgrader via IFrame | - | |
| CRITICAL | CVE-2023-6021 | Ray: LFI allows unauthenticated file read | ray | 9.3 |