Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-6xcp-7mpr-m7wm | open-webui: CORS misconfiguration enables 1-click RCE | open-webui | 8.3 |
| UNKNOWN | CVE-2026-31251 | CosyVoice: RCE via unsafe torch.load() deserialization | - | |
| CRITICAL | CVE-2026-31238 | Ludwig: RCE via unsafe pickle deserialization in model serve | ludwig | 9.8 |
| HIGH | CVE-2026-31232 | CosyVoice: RCE via unsafe torch.load() model deserialization | 8.8 | |
| HIGH | CVE-2026-8597 | SageMaker: RCE via poisoned Triton model artifacts in S3 | sagemaker | 7.2 |
| HIGH | CVE-2026-45672 | open-webui: code exec gate bypass via API endpoint | open-webui | 8.8 |
| MEDIUM | CVE-2026-45667 | open-webui: unauth endpoint drains embedding budget/DoS | open-webui | 6.5 |
| HIGH | CVE-2026-45400 | open-webui: SSRF bypass via URL parser mismatch | open-webui | 8.5 |
| HIGH | CVE-2026-45399 | Open WebUI: task auth bypass enables cross-user DoS | open-webui | 7.1 |
| MEDIUM | CVE-2026-45365 | open-webui: auth bypass exposes admin-restricted models | open-webui | 5.4 |
| MEDIUM | CVE-2026-45347 | Open WebUI: blind SSRF via PDF export HTML injection | open-webui | 4.3 |
| MEDIUM | CVE-2026-45317 | Open-WebUI: CSRF image URL leaks session cookies | open-webui | 4.6 |
| HIGH | CVE-2026-46517 | LMDeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |
| HIGH | CVE-2026-8596 | SageMaker SDK: cleartext HMAC key enables model artifact RCE | sagemaker | 7.2 |
| HIGH | CVE-2026-46432 | lmdeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |
| HIGH | CVE-2026-47101 | LiteLLM: RBAC bypass enables proxy admin escalation | litellm | 8.8 |
| HIGH | CVE-2026-47102 | LiteLLM: privilege escalation to proxy_admin via /user/update | litellm | 8.8 |
| MEDIUM | CVE-2026-9540 | vllm: unauthenticated DoS in OpenAI-compatible serving path | vllm | 5.3 |
| MEDIUM | CVE-2026-48545 | Gradio: cookie injection hijacks cross-Space sessions | gradio | 6.8 |
| MEDIUM | CVE-2026-3676 | IBM Db2 APM: DoS via query special element injection | 6.5 |