AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-44557 | open-webui: auth bypass exposes all knowledge base metadata | open-webui | 4.3 |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| MEDIUM | CVE-2026-44558 | open-webui: permission bypass exposes channels publicly | open-webui | 5.4 |
| HIGH | CVE-2026-44556 | open-webui: auth bypass allows unrestricted model access | open-webui | 7.1 |
| HIGH | CVE-2026-44555 | open-webui: access control bypass via model chaining | open-webui | 7.6 |
| HIGH | CVE-2026-44553 | open-webui: stale Socket.IO role allows cross-user note R/W | open-webui | 8.1 |
| MEDIUM | CVE-2026-44550 | open-webui: mass assignment enables cross-user folder injection | open-webui | 5.0 |
| CRITICAL | CVE-2026-44551 | open-webui: LDAP auth bypass — full account takeover | open-webui | 9.1 |
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | - |
| MEDIUM | CVE-2026-44708 | mistune: math plugin XSS bypasses escape=True control | mistune | 6.1 |
| HIGH | CVE-2026-44567 | Open WebUI: auth bypass gives pending users full LLM access | open-webui | 7.3 |
| HIGH | CVE-2026-44549 | open-webui: XSS via XLSX preview enables session hijack | open-webui | 7.3 |
| MEDIUM | CVE-2026-44560 | open-webui: RAG auth bypass exposes private files | open-webui | 6.5 |
| MEDIUM | CVE-2026-44561 | open-webui: auth bypass exposes private group channels | open-webui | 5.4 |
| MEDIUM | CVE-2026-44564 | open-webui: auth bypass in collaborative doc editing | open-webui | 5.4 |
| CRITICAL | CVE-2026-44211 | cline: WebSocket auth bypass enables terminal RCE | cline | 9.6 |
| HIGH | CVE-2026-44570 | open-webui: IDOR exposes cross-user AI memory data | open-webui | 8.3 |
| MEDIUM | CVE-2026-44571 | open-webui: auth bypass allows message tampering | open-webui | 6.5 |