Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-68f8-9mhj-h2mp | OpenClaw: HTTP scope bypass enables model enumeration | openclaw | - |
| CRITICAL | CVE-2026-0596 | MLflow: command injection via model_uri in mlserver mode | mlflow | 9.6 |
| HIGH | CVE-2026-34445 | ONNX: property overwrite via crafted model file | onnx | 8.6 |
| HIGH | CVE-2026-34760 | vLLM: audio downmix mismatch enables adversarial input | 7.1 | |
| MEDIUM | GHSA-9q7v-8mr7-g23p | OpenClaw: SSRF in marketplace fetch hits internal AI infra | openclaw | - |
| MEDIUM | CVE-2026-34756 | vLLM: DoS via unbounded n parameter causes OOM crash | vllm | 6.5 |
| CRITICAL | CVE-2026-35030 | LiteLLM: auth bypass via JWT cache key collision | litellm | 9.1 |
| HIGH | CVE-2026-35029 | LiteLLM: auth bypass allows RCE and full takeover | litellm | 8.8 |
| MEDIUM | CVE-2026-34755 | vLLM: OOM DoS via unbounded video frame decoding | vllm | 6.5 |
| MEDIUM | CVE-2026-34753 | vLLM: SSRF in batch API exposes cloud metadata endpoints | vllm | 5.4 |
| MEDIUM | CVE-2026-5530 | Ollama: SSRF in Model Pull API enables network pivot | 6.3 | |
| HIGH | CVE-2026-34940 | KubeAI: RCE via shell injection in Ollama startup probe | 8.8 | |
| HIGH | CVE-2026-35485 | text-generation-webui: unauthenticated path traversal file read | gradio | 7.5 |
| HIGH | GHSA-69x8-hrgq-fjj8 | LiteLLM: auth bypass chain enables full privilege escalation | litellm | - |
| MEDIUM | CVE-2026-39411 | LobeChat: auth bypass via forged XOR obfuscated header | @lobehub/lobehub | 5.0 |
| HIGH | CVE-2026-40217 | LiteLLM: RCE via bytecode rewriting in guardrails API | litellm | 8.8 |
| MEDIUM | CVE-2026-40086 | rembg: path traversal exposes arbitrary files via HTTP API | rembg | 5.3 |
| CRITICAL | GHSA-r75f-5x8p-qvmc | litellm: SQLi exposes all managed LLM API credentials | litellm | - |
| HIGH | GHSA-xqmj-j6mv-4862 | LiteLLM: RCE via unsandboxed prompt template rendering | litellm | - |
| HIGH | GHSA-v4p8-mg3p-g94g | litellm: RCE via MCP test endpoints privilege bypass | litellm | - |