AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-2275 | CrewAI: RCE via Docker fallback in CodeInterpreter | 9.6 | |
| CRITICAL | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | 9.8 | |
| CRITICAL | CVE-2026-2287 | CrewAI: Docker sandbox fallback enables RCE | 9.8 | |
| MEDIUM | GHSA-68f8-9mhj-h2mp | OpenClaw: HTTP scope bypass enables model enumeration | openclaw | - |
| HIGH | GHSA-hr5v-j9h9-xjhg | OpenClaw: sandbox escape via mediaUrl path traversal | openclaw | 7.7 |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| MEDIUM | CVE-2026-34452 | Anthropic SDK: TOCTOU symlink escape in async memory tool | anthropic | - |
| HIGH | CVE-2026-34955 | PraisonAI: sandbox escape via shell=True blocklist bypass | praisonai | 8.8 |
| HIGH | CVE-2026-34936 | PraisonAI: SSRF via api_base steals cloud IAM credentials | praisonai | 7.7 |
| HIGH | CVE-2026-34937 | PraisonAI: OS command injection via run_python() shell escape | praisonaiagents | 7.8 |
| HIGH | CVE-2026-34222 | Open WebUI: access control bypass leaks Tool Valve API keys | open-webui | 7.7 |
| MEDIUM | GHSA-9q7v-8mr7-g23p | OpenClaw: SSRF in marketplace fetch hits internal AI infra | openclaw | - |
| HIGH | CVE-2026-35175 | Ajenti: missing authz lets any user install packages | - | |
| CRITICAL | CVE-2026-0545 | MLflow: auth bypass in job API enables unauthenticated RCE | mlflow | 9.1 |
| CRITICAL | CVE-2026-35030 | LiteLLM: auth bypass via JWT cache key collision | litellm | 9.1 |
| UNKNOWN | CVE-2026-35029 | LiteLLM: auth bypass allows RCE and full takeover | litellm | - |
| MEDIUM | CVE-2026-34753 | vLLM: SSRF in batch API exposes cloud metadata endpoints | vllm | 5.4 |
| MEDIUM | CVE-2026-33709 | JupyterHub: open redirect enables post-login phishing | jupyterhub | - |
| HIGH | CVE-2026-33175 | oauthenticator: auth bypass enables JupyterHub account takeover | 8.8 | |
| MEDIUM | GHSA-mvv8-v4jj-g47j | Directus: cleartext storage exposes AI API keys | 6.5 |