AI Threat Alert
Auth Bypass
AI/ML platforms accumulate auth-bypass vulnerabilities at the same rate as other web software, but the blast radius is unusual: a bypass on an inference endpoint exposes expensive compute, paid model access, and potentially other tenants' conversations. Common patterns we see in NVD and GHSA include misconfigured JWT verification in self-hosted inference servers, missing authorization checks on admin routes in ML platforms, IDOR on prediction-history endpoints, and SSRF that escapes a sandboxed agent into the platform's internal network. Open-source AI platforms (MLflow, Gradio, LangServe, Ollama) have shipped multiple high-severity auth-bypass CVEs since 2023; CISA KEV has flagged at least one (the MLflow path-traversal/auth chain). Defenses: keep self-hosted AI platforms patched aggressively, require auth on all model endpoints, network-segment inference servers, and treat any exposed AI service as if compute-cost abuse will happen.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2024-3573 | MLflow: LFI via URI parsing allows arbitrary file read | mlflow | 9.3 |
| HIGH | CVE-2024-3848 | MLflow: URL fragment bypass leaks SSH and cloud keys | mlflow | 7.5 |
| MEDIUM | CVE-2024-4263 | MLflow: broken access control allows artifact deletion | mlflow | 5.4 |
| HIGH | CVE-2024-27134 | MLflow: local privilege escalation via spark_udf ToCToU | mlflow | 7.0 |
| HIGH | CVE-2025-1473 | MLflow: CSRF in signup allows rogue account creation | mlflow | 7.1 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| MEDIUM | CVE-2025-52967 | MLflow: unauthenticated SSRF in gateway proxy | mlflow | 5.8 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2025-11201 | mlflow: Path Traversal enables file access | mlflow | 9.8 |
| HIGH | CVE-2025-14279 | mlflow: security flaw enables exploitation | mlflow | 8.1 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| HIGH | CVE-2025-33233 | NVIDIA: Code Injection enables RCE | 7.8 | |
| LOW | CVE-2024-4839 | lollms-webui: CSRF allows unauthorized AI service install | lollms-webui | 3.3 |
| HIGH | CVE-2025-59425 | vLLM: timing attack enables API key bypass | vllm | 7.5 |
| HIGH | CVE-2025-6242 | vLLM: SSRF in media loader exposes internal network | vllm | 7.1 |
| HIGH | CVE-2026-24779 | vllm: SSRF allows internal network access | vllm | 7.1 |
| MEDIUM | CVE-2024-28224 | Ollama: DNS rebinding exposes LLM API to remote access | ollama | 6.6 |
| MEDIUM | CVE-2025-51471 | Ollama: auth token hijack via crafted WWW-Authenticate | ollama | 6.9 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | - |