Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-50634 | Apache CXF: JWS signature bypass exposes JAX-RS APIs | 6.5 | |
| CRITICAL | CVE-2026-48746 | vllm: auth bypass exposes OpenAI inference API | vllm | 9.1 |
| HIGH | CVE-2026-41523 | vLLM: assert bypass → RCE via poisoned HuggingFace model | vllm | 7.5 |
| MEDIUM | CVE-2026-47748 | stable-diffusion.cpp: OOB read crash via crafted .ckpt file | 5.5 | |
| HIGH | CVE-2026-47749 | stable-diffusion.cpp: heap overflow in .ckpt model parser | 7.8 | |
| CRITICAL | CVE-2026-49468 | LiteLLM: auth bypass via Host header spoofing | litellm | 8.1 |
| HIGH | CVE-2026-47750 | stable-diffusion.cpp: heap overflow via crafted .ckpt model | 7.8 | |
| HIGH | CVE-2026-47747 | stable-diffusion.cpp: .ckpt heap overflow enables RCE | 7.8 | |
| CRITICAL | CVE-2026-46858 | Oracle APM: unauthenticated write/DoS via JVM Diagnostics | APM - Application Performance Management | 9.1 |
| MEDIUM | CVE-2026-12491 | vLLM: image metadata mishandling corrupts multimodal inputs | rhaiis/vllm-cpu-rhel9 | 4.8 |
| MEDIUM | CVE-2026-54014 | open-webui: path traversal exposes sibling dirs | open-webui | 4.3 |
| HIGH | CVE-2026-54008 | open-webui: SSRF via OAuth picture redirect bypass | open-webui | 8.5 |
| MEDIUM | CVE-2026-54233 | vLLM: decompression bomb OOM via audio endpoint | vllm | 6.5 |
| MEDIUM | CVE-2026-54236 | vLLM: heap address leak enables ASLR bypass | vllm | 5.3 |
| UNKNOWN | CVE-2026-53923 | vLLM: integer truncation leaks GPU memory cross-tenant | vllm | - |
| MEDIUM | GHSA-8jr5-v98p-w75m | vllm: EXIF/tRNS preprocessing gap enables adversarial input | vllm | 4.8 |
| UNKNOWN | CVE-2026-54235 | vLLM: NaN/Inf bypass crashes GPU inference workers | vllm | - |
| CRITICAL | CVE-2026-35304 | Oracle Coherence: unauthenticated HTTPS takeover | coherence | 9.8 |
| CRITICAL | CVE-2026-35306 | Oracle Coherence: unauthenticated data access via HTTP | coherence | 9.3 |
| CRITICAL | CVE-2026-35307 | Oracle Coherence: unauthenticated RCE, CVSS 10.0 | coherence | 10.0 |