AI Threat Alert
ATLAS Landscape
AML.T0006
Active Scanning
An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system. Adversaries may scan for open ports on a potential victim's network, which can indicate specific services or tools the victim is utilizing. This could include a scan for tools related to AI DevOps or AI services themselves such as public AI chat agents (ex: [Copilot Studio Hunter](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Enum)). They can also send emails to organization service addresses and inspect the replies for indicators that an AI agent is managing the inbox. Information gained from Active Scanning may yield targets that provide opportunities for other forms of reconnaissance such as [Search Open Technical Databases](/techniques/AML.T0000), [Search Open AI Vulnerability Analysis](/techniques/AML.T0001), or [Gather RAG-Indexed Targets](/techniques/AML.T0064).
63 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-48022 | Ray: unauthenticated RCE via job submission API | ray | 9.8 |
| CRITICAL | CVE-2024-47167 | Gradio: unauthenticated SSRF in /queue/join, internal pivot | gradio | 9.8 |
| CRITICAL | CVE-2023-6019 | Ray: unauthenticated RCE via dashboard command injection | ray | 9.8 |
| CRITICAL | CVE-2024-41120 | streamlit-geospatial: blind SSRF via unvalidated URL input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2025-32444 | vLLM: RCE via pickle deserialization on ZeroMQ | vllm | 9.8 |
| CRITICAL | CVE-2024-9052 | vLLM: RCE via pickle deserialization in distributed API | vllm | 9.8 |
| CRITICAL | CVE-2026-41268 | Flowise: unauthenticated RCE via NODE_OPTIONS env injection | flowise | 9.8 |
| CRITICAL | CVE-2024-41118 | streamlit-geospatial: blind SSRF via WMS URL input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2025-47241 | browser-use: URL allowlist bypass enables SSRF in agents | browser-use | 9.3 |
| CRITICAL | CVE-2026-7482 | Ollama: heap OOB read leaks API keys and chat data | ollama | 9.1 |
| HIGH | CVE-2026-28416 | gradio: SSRF allows internal network access | gradio | 8.6 |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| HIGH | CVE-2024-4325 | Gradio: SSRF exposes internal network and cloud metadata | gradio | 8.6 |
| HIGH | CVE-2025-65958 | open-webui: SSRF allows internal network access | open-webui | 8.5 |
| HIGH | CVE-2026-41271 | Flowise: SSRF via prompt template injection in API Chain | flowise | 8.3 |
| HIGH | CVE-2024-35199 | TorchServe: default gRPC exposure allows unauth inference | torchserve | 8.2 |
| HIGH | GHSA-75hx-xj24-mqrw | n8n-mcp: unauthenticated HTTP endpoints enable DoS + recon | n8n-mcp | 8.2 |
| HIGH | CVE-2025-61784 | LLaMA-Factory: SSRF+LFI in multimodal chat API | llamafactory | 8.1 |
| HIGH | CVE-2024-3095 | LangChain: SSRF in Web Retriever exposes cloud metadata | langchain | 7.7 |
| HIGH | CVE-2024-36421 | Flowise: CORS wildcard enables file read and data theft | flowise | 7.5 |
| HIGH | CVE-2026-28414 | gradio: security flaw enables exploitation | gradio | 7.5 |
| HIGH | CVE-2026-33484 | langflow: Access Control bypass enables privilege escalation | langflow | 7.5 |
| HIGH | CVE-2026-0599 | text-generation: DoS causes service disruption | 7.5 | |
| HIGH | CVE-2025-66786 | OAI CN5G AMF: unauthenticated JSON DoS on 5G SBI interface | oai-cn5g-amf | 7.5 |
| HIGH | CVE-2025-65805 | OAI CN5G AMF: Unauthenticated buffer overflow, RCE/DoS | oai-cn5g-amf | 7.5 |
| HIGH | CVE-2025-59425 | vLLM: timing attack enables API key bypass | vllm | 7.5 |
| HIGH | CVE-2025-6386 | lollms: timing attack enables credential enumeration | lollms | 7.5 |
| HIGH | CVE-2025-30202 | vLLM: ZeroMQ socket exposure enables DoS in multi-node | vllm | 7.5 |
| HIGH | CVE-2024-8020 | pytorch-lightning: unauthenticated DoS crashes LightningApp | pytorch-lightning | 7.5 |
| HIGH | CVE-2024-39722 | Ollama: path traversal exposes server filesystem | ollama | 7.5 |
| HIGH | CVE-2024-39719 | Ollama: file existence oracle via api/create errors | ollama | 7.5 |
| HIGH | CVE-2024-36420 | Flowise: unauthenticated arbitrary file read via API | flowise | 7.5 |
| HIGH | CVE-2022-41899 | TensorFlow: SdcaOptimizer DoS via malformed tensor rank | tensorflow | 7.5 |
| HIGH | CVE-2025-59527 | Flowise: unauthenticated SSRF exposes internal network | flowise | 7.5 |
| HIGH | CVE-2026-40114 | PraisonAI: unauthenticated SSRF via unvalidated webhook_url | PraisonAI | 7.2 |
| HIGH | CVE-2026-24779 | vllm: SSRF allows internal network access | vllm | 7.1 |
| MEDIUM | GHSA-pgx6-7jcq-2qff | 6.8 | ||
| MEDIUM | CVE-2026-3340 | IBM Langflow: SSRF enables internal network enumeration | langflow | 6.5 |
| MEDIUM | CVE-2024-2206 | Gradio: SSRF exposes internal HuggingFace endpoints | gradio | 6.5 |
| MEDIUM | CVE-2026-7844 | Langchain-Chatchat: auth bypass on file service endpoints | 6.3 | |
| MEDIUM | CVE-2026-5530 | Ollama: SSRF in Model Pull API enables network pivot | 6.3 | |
| MEDIUM | CVE-2025-67743 | local-deep-research: SSRF allows internal network access | 6.3 | |
| MEDIUM | CVE-2026-27482 | ray: Missing Auth allows unauthenticated access | ray | 5.9 |
| MEDIUM | CVE-2026-40151 | PraisonAI: unauthenticated agent config and system prompt disclosure | PraisonAI | 5.3 |
| MEDIUM | CVE-2025-63390 | anythingllm: Missing Auth allows unauthenticated access | 5.3 | |
| MEDIUM | CVE-2026-40086 | rembg: path traversal exposes arbitrary files via HTTP API | rembg | 5.3 |
| MEDIUM | CVE-2026-28786 | Open WebUI: path traversal leaks server filesystem path | open-webui | 4.3 |
| MEDIUM | CVE-2026-44559 | open-webui: private channel member list exposed to any user | open-webui | 4.3 |
| MEDIUM | CVE-2024-47168 | Gradio: monitoring endpoint bypass leaks app analytics | gradio | 4.3 |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| LOW | CVE-2024-47869 | Gradio: timing attack exposes analytics dashboard auth | gradio | 3.7 |
| LOW | CVE-2026-26013 | langchain-core: SSRF allows internal network access | langchain_core | 3.7 |
| LOW | GHSA-r7w7-9xr2-qq2r | langchain-openai: SSRF DNS rebinding, blind network probe | langchain-openai | 3.1 |
| LOW | CVE-2024-7038 | open-webui: filesystem enumeration via admin error messages | open-webui | 2.7 |
| LOW | CVE-2026-7847 | Langchain-Chatchat: predictable file IDs leak uploaded files | langchain-chatchat | 2.6 |
| LOW | CVE-2025-25183 | vLLM: hash collision enables prefix cache poisoning | vllm | 2.6 |
| LOW | GHSA-j4c5-89f5-f3pm | openclaw: SSRF policy bypass in CDP browser profile creation | openclaw | — |
| CRITICAL | CVE-2025-32428 | jupyter-remote-desktop-proxy: VNC network exposure | jupyter-remote-desktop-proxy | — |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | — |
| MEDIUM | GHSA-jj6q-rrrf-h66h | openclaw: timing side-channel leaks shared-secret length | openclaw | — |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | — | |
| UNKNOWN | CVE-2024-1729 | Gradio: timing attack enables auth bypass on ML UIs | gradio | — |
| UNKNOWN | CVE-2024-1183 | Gradio: SSRF enables internal network port scanning | gradio | — |