Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-35308 | Oracle Coherence: unauthenticated RCE via third-party jars | coherence | 10.0 |
| CRITICAL | CVE-2026-35309 | Oracle Coherence: unauthenticated RCE via HTTP (CVSS 9.8) | coherence | 9.8 |
| CRITICAL | CVE-2026-35310 | Oracle Coherence: unauthenticated HTTP full takeover | coherence | 9.8 |
| MEDIUM | CVE-2026-54021 | open-webui: auth bypass reaches restricted Ollama backends | open-webui | 6.3 |
| CRITICAL | CVE-2026-44727 | jupyter-server: stored XSS yields kernel RCE | notebook | 9.0 |
| MEDIUM | CVE-2026-12706 | FFmpeg RASC: UAF in decoder crashes AI inference containers | rhoai/odh-vllm-gaudi-rhel9 | 6.5 |
| MEDIUM | CVE-2026-55832 | tract-onnx: path traversal exposes arbitrary local files | tract-onnx | 6.1 |
| HIGH | CVE-2026-53489 | containerd: symlink follow leaks host files via kubectl logs | github.com/containerd/containerd/v2 | - |
| HIGH | CVE-2026-53488 | containerd: label injection enables host RCE via CRI plugin | github.com/containerd/containerd/v2 | - |
| MEDIUM | CVE-2026-50195 | containerd: checkpoint import poisons node image cache | github.com/containerd/containerd/v2 | - |
| MEDIUM | CVE-2026-49345 | Mercator: SSRF enables internal network RCE via gopher:// | - | |
| HIGH | CVE-2026-56340 | vLLM: sparse tensor DoS/memory corruption via embeddings | vllm | 7.5 |
| HIGH | CVE-2025-71379 | vLLM: ReDoS via crafted API input causes DoS | vllm | 7.5 |
| HIGH | CVE-2026-12770 | litellm: auth bypass in Admin Key Handler endpoint | litellm | 8.8 |
| HIGH | CVE-2026-12771 | litellm: JWT auth bypass in M2M proxy handler | litellm | 7.5 |
| MEDIUM | CVE-2026-12772 | litellm: session expiration bypass in proxy auth | litellm | 6.3 |
| MEDIUM | CVE-2026-12774 | litellm: SSRF in MCP server exposes cloud metadata | litellm | 6.3 |
| HIGH | CVE-2026-12773 | litellm: auth bypass in MCP proxy, no credentials required | litellm | 7.3 |
| HIGH | CVE-2026-12795 | litellm: auth bypass in SSO debug exposes LLM proxy | litellm | 7.3 |
| MEDIUM | CVE-2026-12797 | litellm: auth bypass in banned keywords enterprise hook | litellm | 6.3 |