AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-41273 | Flowise: auth bypass exposes OAuth 2.0 tokens | flowise | 8.2 |
| HIGH | CVE-2026-41275 | Flowise: HTTP password reset link allows MITM takeover | flowise | 7.5 |
| CRITICAL | CVE-2026-41276 | Flowise: auth bypass enables full account takeover via reset | flowise | 9.8 |
| HIGH | CVE-2026-41277 | Flowise: mass assignment enables cross-workspace IDOR | flowise | 8.8 |
| HIGH | CVE-2026-41278 | Flowise: credential exposure in public chatflow API | flowise | 7.5 |
| MEDIUM | CVE-2026-6393 | BetterDocs: Auth bypass drains OpenAI API quota | 4.3 | |
| CRITICAL | GHSA-r75f-5x8p-qvmc | litellm: SQLi exposes all managed LLM API credentials | litellm | - |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | - |
| MEDIUM | CVE-2026-41481 | LangChain: SSRF redirect bypass exposes internal endpoints | langchain | 6.5 |
| LOW | CVE-2026-41488 | langchain-openai: SSRF via DNS rebinding in image token counter | langchain | 3.1 |
| HIGH | GHSA-v4p8-mg3p-g94g | litellm: RCE via MCP test endpoints privilege bypass | litellm | - |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | - |
| MEDIUM | GHSA-qrp5-gfw2-gxv4 | openclaw: tool policy bypass via bundled MCP/LSP tools | openclaw | - |
| MEDIUM | GHSA-h2vw-ph2c-jvwf | OpenClaw: env injection exposes MiniMax API key | openclaw | - |
| LOW | GHSA-j4c5-89f5-f3pm | openclaw: SSRF policy bypass in CDP browser profile creation | openclaw | - |
| LOW | GHSA-xrq9-jm7v-g9h7 | OpenClaw: auth bypass enables cross-device session hijack | openclaw | - |
| LOW | GHSA-57r2-h2wj-g887 | openclaw: trust-label bypass amplifies prompt injection | openclaw | - |
| MEDIUM | GHSA-72q8-jcmc-97wx | openclaw: DM policy bypass via Feishu card-action callbacks | openclaw | - |
| LOW | GHSA-v8qf-fr4g-28p2 | OpenClaw: auth scope bypass exposes assistant-media files | openclaw | - |
| MEDIUM | GHSA-2xcp-x87w-q377 | openclaw: session key auth bypass in webhook routing | openclaw | - |