AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-g2hm-779g-vm32 | openclaw: auth bypass preserves owner-level agent execution | openclaw | - |
| MEDIUM | GHSA-c4qm-58hj-j6pj | openclaw: SSRF bypass exposes internal pages in browser tool | openclaw | - |
| HIGH | GHSA-8372-7vhw-cm6q | openclaw: config redaction bypass exposes provider API keys | openclaw | - |
| MEDIUM | GHSA-jwrq-8g5x-5fhm | openclaw: auth context reuse enables privilege escalation | openclaw | - |
| HIGH | GHSA-5fw2-mwhh-9947 | Flowise: unauth TTS endpoint exposes stored AI API keys | flowise | - |
| HIGH | GHSA-w47f-j8rh-wx87 | Flowise: credential exposure via public chatflow API | flowise | - |
| HIGH | GHSA-3prp-9gf7-4rxx | Flowise: Mass assignment enables cross-tenant store takeover | flowise | - |
| MEDIUM | GHSA-92jp-89mq-4374 | openclaw: auth bypass exposes sandbox browser session | openclaw | - |
| HIGH | CVE-2026-6596 | Langflow: unauthenticated file upload allows RCE | langflow-base | 7.3 |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| HIGH | CVE-2026-39861 | Claude Code: sandbox escape via symlink allows arbitrary write | @anthropic-ai/claude-code | - |
| HIGH | GHSA-2r2p-4cgf-hv7h | engramx: CSRF injects persistent prompts into AI agents | - | |
| MEDIUM | CVE-2026-41495 | n8n-mcp: bearer tokens exposed in HTTP transport logs | n8n-mcp | 5.3 |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| CRITICAL | CVE-2026-41267 | Flowise: mass assignment auth bypass in registration | flowise | 9.8 |
| CRITICAL | CVE-2026-41268 | Flowise: unauthenticated RCE via NODE_OPTIONS env injection | flowise | 9.8 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |