AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-45387 | open-webui: system prompt leakage via model read API | open-webui | 4.3 |
| MEDIUM | CVE-2026-45386 | open-webui: auth bypass lets read-only users pin messages | open-webui | 4.3 |
| MEDIUM | CVE-2026-45385 | Open WebUI: IDOR lets members tamper with admin messages | open-webui | 4.3 |
| MEDIUM | CVE-2026-45365 | open-webui: auth bypass exposes admin-restricted models | open-webui | 5.4 |
| MEDIUM | CVE-2026-45351 | Open WebUI: admin system prompts exposed to all users | open-webui | 6.5 |
| HIGH | CVE-2026-45350 | open-webui: missing authz allows admin tool hijacking | open-webui | 7.1 |
| HIGH | CVE-2026-45349 | open-webui: auth bypass exposes all user chat histories | open-webui | 7.1 |
| MEDIUM | CVE-2026-45345 | open-webui: IDOR allows unauthorized model modification | open-webui | 6.5 |
| MEDIUM | CVE-2026-45339 | Open WebUI: API key restriction bypass via header swap | open-webu | 6.5 |
| HIGH | CVE-2026-45338 | open-webui: SSRF via OAuth picture claim leaks internal data | open-webui | 7.7 |
| HIGH | CVE-2026-45331 | open-webui: SSRF bypass exposes cloud IAM credentials | open-webui | 8.5 |
| MEDIUM | CVE-2026-45317 | Open-WebUI: CSRF image URL leaks session cookies | open-webui | 4.6 |
| MEDIUM | CVE-2026-45318 | open-webui: Stored XSS via Office file preview bypass | open-webui | 5.4 |
| LOW | CVE-2026-45316 | Open WebUI: read users can modify note pin state | open-webui | 3.5 |
| HIGH | CVE-2026-45314 | Open WebUI: Stored XSS via webhook SVG profile image | open-webui | - |
| HIGH | CVE-2026-45315 | open-webui: stored XSS → JWT theft and admin takeover | open-webui | 8.7 |
| HIGH | CVE-2026-45301 | open-webui: BOLA exposes all users' uploaded files | open-webui | 8.1 |
| MEDIUM | CVE-2026-45299 | open-webui: Stored SVG XSS enables admin JWT theft | open-webui | 5.4 |
| HIGH | CVE-2026-45310 | deepseek-tui: SSRF bypass leaks cloud IAM credentials | deepseek-tui | 7.4 |
| HIGH | CVE-2026-45665 | open-webui: Stored XSS enables Super Admin session hijack | open-webui | 8.1 |