AI Threat Alert
Attack Type
Auth Bypass
Authentication bypass vulnerabilities in AI platforms allow attackers to access protected APIs, model endpoints, or admin interfaces without valid credentials.
308
Total CVEs
16
Pages
Page 4 of 16
Current
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2024-3573 | MLflow: LFI via URI parsing allows arbitrary file read | mlflow | 9.3 |
| HIGH | CVE-2024-3848 | MLflow: URL fragment bypass leaks SSH and cloud keys | mlflow | 7.5 |
| MEDIUM | CVE-2024-4263 | MLflow: broken access control allows artifact deletion | mlflow | 5.4 |
| HIGH | CVE-2024-27134 | MLflow: local privilege escalation via spark_udf ToCToU | mlflow | 7.0 |
| HIGH | CVE-2025-1473 | MLflow: CSRF in signup allows rogue account creation | mlflow | 7.1 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| MEDIUM | CVE-2025-52967 | MLflow: unauthenticated SSRF in gateway proxy | mlflow | 5.8 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2025-11201 | mlflow: Path Traversal enables file access | mlflow | 9.8 |
| HIGH | CVE-2025-14279 | mlflow: security flaw enables exploitation | mlflow | 8.1 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| HIGH | CVE-2025-33233 | NVIDIA: Code Injection enables RCE | 7.8 | |
| LOW | CVE-2024-4839 | lollms-webui: CSRF allows unauthorized AI service install | lollms-webui | 3.3 |
| HIGH | CVE-2025-59425 | vLLM: timing attack enables API key bypass | vllm | 7.5 |
| HIGH | CVE-2025-6242 | vLLM: SSRF in media loader exposes internal network | vllm | 7.1 |
| HIGH | CVE-2026-24779 | vllm: SSRF allows internal network access | vllm | 7.1 |
| MEDIUM | CVE-2024-28224 | Ollama: DNS rebinding exposes LLM API to remote access | ollama | 6.6 |
| MEDIUM | CVE-2025-51471 | Ollama: auth token hijack via crafted WWW-Authenticate | ollama | 6.9 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | - |