Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-12799 | litellm: authorization bypass exposes user list | litellm | 4.3 |
| MEDIUM | CVE-2026-12796 | litellm: SSO session expiration allows auth persistence | litellm | 6.3 |
| MEDIUM | CVE-2026-12798 | litellm: SSRF in MCP OpenAPI spec loader endpoint | litellm | 6.3 |
| HIGH | CVE-2026-10845 | WebSphere AS: JAX-WS auth bypass, unauthorized access | 7.3 | |
| CRITICAL | CVE-2026-54352 | Budibase: zip symlink bypass exposes all server secrets | @budibase/server | 9.6 |
| HIGH | CVE-2026-54232 | vLLM: dependency confusion RCE backdoors container images | vllm | 8.8 |
| MEDIUM | CVE-2026-10645 | Zephyr RTOS: ext2 OOB read/DoS via malformed filesystem | 4.9 | |
| CRITICAL | CVE-2026-26210 | KTransformers: pickle RCE via unauthenticated ZMQ socket | ktransformers | 9.8 |
| UNKNOWN | CVE-2026-4930 | SiXG301 SYMCRYPTO: DPA bypass weakens hardware crypto keys | - | |
| MEDIUM | CVE-2026-11703 | wolfSSL: TLS session resumption skips SNI/ALPN check | - | |
| HIGH | CVE-2026-5757 | Ollama: unauthenticated heap memory disclosure | Ollama | 7.5 |
| CRITICAL | GHSA-98x5-vq43-vc5p | semantic-router: unpinned litellm dep pulls malware wheel | litellm | - |
| CRITICAL | CVE-2026-2651 | MLflow: auth bypass on artifact uploads enables RCE | mlflow/mlflow | 9.0 |
| HIGH | CVE-2026-10118 | Poppler: PDF integer overflow enables heap RCE | rhaiis/vllm-spyre-rhel9 | 7.8 |
| HIGH | CVE-2026-4775 | libtiff: integer overflow causes heap OOB write | rhaiis/vllm-spyre-rhel9 | 7.8 |
| MEDIUM | CVE-2026-4878 | libcap: TOCTOU race in cap_set_file() enables privesc | rhaiis/vllm-spyre-rhel9 | 6.7 |
| HIGH | CVE-2026-57947 | Pinpoint APM: SSRF via alarm webhook registration | pinpoint | 8.5 |
| MEDIUM | CVE-2026-57948 | Pinpoint: insecure JWT cookie enables session hijacking | pinpoint | 6.8 |
| HIGH | CVE-2026-23536 | Feast: unauth path traversal leaks any file | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 7.5 |
| HIGH | CVE-2025-71363 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |