AML.T0012

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Credentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various AI resources and services. Compromised credentials may provide access to additional AI artifacts and allow the adversary to perform [Discover AI Artifacts](/techniques/AML.T0007). Compromised credentials may also grant an adversary increased privileges such as write access to AI artifacts used during development or production.

184 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2023-25574	JupyterHub LTI13: JWT forgery enables full auth bypass		10.0
CRITICAL	CVE-2026-33663	n8n: member role steals plaintext HTTP credentials	n8n	10.0
CRITICAL	CVE-2026-1470	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-27577	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2025-68668	n8n: Protection Bypass circumvents security controls	n8n	9.9
CRITICAL	CVE-2026-27495	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-25049	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-40933	Flowise: RCE via MCP stdio command injection	flowise-components	9.9
CRITICAL	CVE-2026-25052	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-25053	n8n: Command Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-0863	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-33309	langflow: Path Traversal enables file access	langflow	9.9
CRITICAL	CVE-2026-21877	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-2635	mlflow: security flaw enables exploitation	mlflow	9.8
CRITICAL	CVE-2025-58434	Flowise: auth bypass in reset flow allows full ATO	flowise	9.8
CRITICAL	CVE-2023-6014	MLflow: auth bypass allows arbitrary account creation	mlflow	9.8
CRITICAL	CVE-2026-41267	Flowise: mass assignment auth bypass in registration	flowise	9.8
CRITICAL	CVE-2026-41276	Flowise: auth bypass enables full account takeover via reset	flowise	9.8
CRITICAL	CVE-2023-25823	Gradio: hardcoded SSH key leaks via share=True demos	gradio	9.8
CRITICAL	CVE-2026-1115	lollms: Stored XSS enables wormable account takeover	lollms	9.6
CRITICAL	CVE-2026-42048	Langflow: path traversal allows arbitrary directory deletion	langflow	9.6
CRITICAL	CVE-2026-44551	open-webui: LDAP auth bypass — full account takeover	open-webui	9.1
CRITICAL	CVE-2026-35030	LiteLLM: auth bypass via JWT cache key collision	litellm	9.1
CRITICAL	CVE-2026-33749	n8n: stored XSS enables credential theft via workflow	n8n	9.0
HIGH	CVE-2026-30820	Flowise: header spoof auth bypass exposes admin API & creds	flowise	8.8
HIGH	CVE-2026-24780	agpt: Code Injection enables RCE		8.8
HIGH	CVE-2026-25056	n8n: Arbitrary File Upload enables RCE	n8n	8.8
HIGH	CVE-2026-33175	oauthenticator: auth bypass enables JupyterHub account takeover		8.8
HIGH	CVE-2025-68613	n8n: security flaw enables exploitation	n8n	8.8
HIGH	CVE-2025-34291	langflow: security flaw enables exploitation	langflow	8.8
HIGH	CVE-2026-42271	LiteLLM: RCE via MCP test endpoint command injection	litellm	8.8
HIGH	CVE-2026-42266	JupyterLab: Extension allow-list bypass enables privesc	jupyterlab	8.8
HIGH	CVE-2026-33696	n8n: Prototype pollution enables RCE via workflow nodes	n8n	8.8
HIGH	CVE-2025-57760	Langflow: privilege escalation to full superuser via CLI	langflow	8.8
HIGH	CVE-2026-33713	n8n: SQLi in Data Table node, full DB compromise	n8n	8.8
HIGH	CVE-2023-27563	n8n: privilege escalation exposes full workflow admin	n8n	8.8
HIGH	CVE-2026-41277	Flowise: mass assignment enables cross-workspace IDOR	flowise	8.8
HIGH	CVE-2026-33053	langflow: IDOR enables unauthorized data access	langflow	8.8
HIGH	CVE-2024-7297	Langflow: mass assignment grants super admin access	langflow	8.8
HIGH	CVE-2026-27497	n8n: SQL Injection exposes database	n8n	8.8
HIGH	CVE-2026-27498	n8n: Code Injection enables RCE	n8n	8.8
HIGH	CVE-2025-65958	open-webui: SSRF allows internal network access	open-webui	8.5
HIGH	GHSA-4ggg-h7ph-26qr	n8n-mcp: authenticated SSRF leaks cloud metadata	n8n-mcp	8.5
HIGH	CVE-2024-7990	open-webui: Stored XSS enables admin session hijack	open-webui	8.4
HIGH	CVE-2026-41270	Flowise: SSRF bypass exposes cloud metadata services	flowise	8.3
HIGH	CVE-2024-47084	Gradio: CORS bypass exposes local instances to credential theft	gradio	8.3
HIGH	CVE-2024-7039	open-webui: Privilege bypass enables admin account deletion	open-webui	8.3
HIGH	CVE-2026-33665	n8n: LDAP email match enables permanent account takeover	n8n	8.2
HIGH	CVE-2026-25750	langsmith: security flaw enables exploitation	langsmith	8.1
HIGH	CVE-2026-44553	open-webui: stale Socket.IO role allows cross-user note R/W	open-webui	8.1
HIGH	CVE-2026-32730			8.1
HIGH	CVE-2025-15381	MLflow: broken access control exposes experiment traces	mlflow	8.1
HIGH	CVE-2024-8060	OpenWebUI: path traversal RCE via audio upload API	open-webui	8.1
HIGH	CVE-2025-0628	litellm: privilege escalation viewer→proxy admin via bad API key	litellm	8.1
HIGH	GHSA-48m6-ch88-55mj	Flowise: Mass Assignment allows cross-tenant org takeover	flowise	8.1
HIGH	CVE-2026-44554	open-webui: RAG poisoning via unauthorized KB overwrite	open-webui	8.1
HIGH	CVE-2021-37652	TensorFlow: double-free in BoostedTrees, code exec	tensorflow	7.8
HIGH	CVE-2026-34222	Open WebUI: access control bypass leaks Tool Valve API keys	open-webui	7.7
HIGH	CVE-2024-0452	WordPress AI ChatBot: auth bypass enables OpenAI file upload	wpbot	7.7
HIGH	CVE-2024-0453	WordPress ChatBot: missing authz deletes OpenAI files	wpbot	7.7
HIGH	CVE-2024-7053	open-webui: XSS enables admin session hijack via chat	open-webui	7.6
HIGH	CVE-2026-41275	Flowise: HTTP password reset link allows MITM takeover	flowise	7.5
HIGH	CVE-2025-0330	LiteLLM: Langfuse API key leak via error handling	litellm	7.5
HIGH	CVE-2025-6386	lollms: timing attack enables credential enumeration	lollms	7.5
HIGH	CVE-2025-65098	typebot: XSS enables session hijacking		7.4
HIGH	CVE-2025-12973	AI component: Arbitrary File Upload enables RCE		7.2
HIGH	CVE-2026-21893	n8n: Input Validation flaw enables exploitation	n8n	7.2
HIGH	CVE-2026-1777	sagemaker: security flaw enables exploitation	sagemaker	7.2
HIGH	CVE-2025-5018	Hive Support WP: OpenAI key theft + prompt hijack		7.1
HIGH	CVE-2026-44556	open-webui: auth bypass allows unrestricted model access	open-webui	7.1
HIGH	CVE-2026-28788	Open WebUI: BOLA enables RAG poisoning via file overwrite	open-webui	7.1
HIGH	CVE-2025-1473	MLflow: CSRF in signup allows rogue account creation	mlflow	7.1
MEDIUM	CVE-2025-51471	Ollama: auth token hijack via crafted WWW-Authenticate	ollama	6.9
MEDIUM	CVE-2026-40934	jupyter-server: auth cookie survives password reset	jupyter-server	6.8
MEDIUM	CVE-2026-28277	langgraph: Deserialization enables RCE	langgraph	6.8
MEDIUM	CVE-2026-26972	OpenClaw: path traversal allows arbitrary file write	openclaw	6.7
MEDIUM	CVE-2025-7780	WordPress AI Engine: SSRF leaks files via OpenAI API		6.5
MEDIUM	CVE-2025-13922	AI component: SQL Injection exposes database		6.5
MEDIUM	CVE-2026-25631	n8n: Input Validation flaw enables exploitation	n8n	6.5
MEDIUM	GHSA-mvv8-v4jj-g47j	Directus: cleartext storage exposes AI API keys		6.5
MEDIUM	CVE-2026-21894	n8n: security flaw enables exploitation	n8n	6.5
MEDIUM	CVE-2024-7041	open-webui: IDOR enables cross-user memory tampering	open-webui	6.5
MEDIUM	CVE-2026-44560	open-webui: RAG auth bypass exposes private files	open-webui	6.5
MEDIUM	CVE-2026-44562	open-webui: missing authz enables model hijacking	open-webui	6.5
MEDIUM	GHSA-q8ff-7ffm-m3r9	openclaw: stale webhook secret survives credential rotation	openclaw	6.0
MEDIUM	CVE-2026-27167	gradio: Weak Credentials allow account compromise	gradio	5.9
MEDIUM	GHSA-2qqc-p94c-hxwh	Flowise: hardcoded session secret enables auth bypass	flowise	5.6
MEDIUM	GHSA-cc4f-hjpj-g9p8	Flowise: hardcoded JWT defaults enable full auth bypass	flowise	5.6
MEDIUM	GHSA-m7mq-85xj-9x33	Flowise: hardcoded default key enables JWT token forgery	flowise	5.6
MEDIUM	CVE-2026-44479	vercel: auth token leak in AI agent non-interactive mode		5.5
MEDIUM	GHSA-cqmh-pcgr-q42f	@axonflow/openclaw: credential exposure via insecure file permissions	@axonflow/openclaw	5.5
MEDIUM	CVE-2025-1474	MLflow: passwordless accounts enable persistent backdoor	mlflow	5.5
MEDIUM	CVE-2026-44558	open-webui: permission bypass exposes channels publicly	open-webui	5.4
MEDIUM	CVE-2025-46343	n8n: stored XSS enables account takeover	n8n	5.4
MEDIUM	CVE-2024-47872	Gradio: stored XSS via malicious file upload	gradio	5.4
MEDIUM	CVE-2025-49592	n8n: open redirect enables phishing via login flow	n8n	5.4
MEDIUM	CVE-2024-4263	MLflow: broken access control allows artifact deletion	mlflow	5.4
MEDIUM	CVE-2023-1651	AI ChatBot WP: auth bypass exposes OpenAI config + XSS	wpbot	5.4
MEDIUM	CVE-2025-45809	LiteLLM: SQL injection in key management API	litellm	5.4
MEDIUM	GHSA-364x-8g5j-x2pr	n8n: stored XSS via malicious OAuth2 Authorization URL	n8n	5.4
MEDIUM	GHSA-3c7f-5hgj-h279	n8n: Stored XSS in Chat Trigger via CSS injection	n8n	5.4
MEDIUM	CVE-2025-52478	n8n: Stored XSS enables full account takeover	n8n	5.4
MEDIUM	CVE-2026-44563	open-webui: auth bypass exposes restricted LLM models	open-webui	5.4
MEDIUM	CVE-2026-44564	open-webui: auth bypass in collaborative doc editing	open-webui	5.4
MEDIUM	CVE-2026-25054	n8n: XSS enables session hijacking	n8n	5.4
MEDIUM	CVE-2026-44561	open-webui: auth bypass exposes private group channels	open-webui	5.4
MEDIUM	CVE-2026-25051	n8n: XSS enables session hijacking	n8n	5.4
MEDIUM	CVE-2026-27578	n8n: XSS enables session hijacking	n8n	5.4
MEDIUM	CVE-2026-41495	n8n-mcp: bearer tokens exposed in HTTP transport logs	n8n-mcp	5.3
MEDIUM	CVE-2026-33722	n8n: secrets vault bypass exposes credentials to low-priv users	n8n	5.3
MEDIUM	CVE-2026-39411	LobeChat: auth bypass via forged XOR obfuscated header	@lobehub/lobehub	5.0
MEDIUM	CVE-2024-0451	wpbot: missing auth exposes OpenAI account files	wpbot	5.0
MEDIUM	CVE-2026-44550	open-webui: mass assignment enables cross-user folder injection	open-webui	5.0
MEDIUM	CVE-2025-49595	n8n: DoS via empty filesystem URI in binary-data API	n8n	4.9
MEDIUM	CVE-2026-33751	n8n: LDAP injection enables auth bypass in workflows	n8n	4.8
MEDIUM	CVE-2026-28415	gradio: Info Disclosure leaks sensitive data	gradio	4.7
MEDIUM	CVE-2026-44557	open-webui: auth bypass exposes all knowledge base metadata	open-webui	4.3
MEDIUM	CVE-2026-28786	Open WebUI: path traversal leaks server filesystem path	open-webui	4.3
MEDIUM	CVE-2024-7045	open-webui: missing authz exposes admin prompts	open-webui	4.3
MEDIUM	CVE-2025-14371	AI component: Missing Auth allows unauthorized operations		4.3
MEDIUM	CVE-2025-12360	Better: security flaw enables exploitation		4.3
MEDIUM	CVE-2025-52554	n8n: broken authz enables cross-user workflow termination	n8n	4.3
MEDIUM	CVE-2024-7046	Open WebUI: missing authz leaks admin credentials	open-webui	4.3
MEDIUM	CVE-2026-6393	BetterDocs: Auth bypass drains OpenAI API quota		4.3
MEDIUM	CVE-2025-13354	taxopress: Missing Auth allows unauthorized operations		4.3
MEDIUM	CVE-2026-44559	open-webui: private channel member list exposed to any user	open-webui	4.3
MEDIUM	CVE-2025-68492	chainlit: IDOR enables unauthorized data access	chainlit	4.2
MEDIUM	CVE-2026-33720	n8n: OAuth state forgery hijacks user credentials	n8n	4.2
MEDIUM	CVE-2026-1163	lollms: sessions persist after password reset	lollms	4.1
LOW	CVE-2026-29071	Open WebUI: IDOR exposes AI memories and private files	open-webui	3.1
LOW	CVE-2026-6597	langflow: Plaintext credential storage via Flow API	langflow	2.7
HIGH	GHSA-xmxx-7p24-h892	OpenClaw: stale bearer token survives SecretRef rotation	openclaw	—
UNKNOWN	CVE-2026-25083	GROWI: Missing Auth allows unauthorized operations		—
LOW	CVE-2026-33624			—
HIGH	CVE-2026-23982			—
UNKNOWN	CVE-2026-0772	langflow: Deserialization enables RCE	langflow	—
LOW	CVE-2025-63681	open-webui: Access Control bypass enables privilege escalation	open-webui	—
HIGH	CVE-2026-22033	label-studio: XSS enables session hijacking	label-studio	—
HIGH	CVE-2025-25295	Label Studio SDK: path traversal leaks server filesystem	label-studio-sdk	—
HIGH	CVE-2025-23205	nbgrader: Clickjacking exposes formgrader via IFrame		—
UNKNOWN	CVE-2024-56516	free-one-api: MD5 hashing allows credential cracking		—
UNKNOWN	CVE-2024-1729	Gradio: timing attack enables auth bypass on ML UIs	gradio	—
UNKNOWN	CVE-2026-34046	Langflow: IDOR exposes flows and plaintext API keys	langflow	—
CRITICAL	GHSA-955r-262c-33jc	telnyx: PyPI supply chain attack steals cloud creds		—
MEDIUM	GHSA-68f8-9mhj-h2mp	OpenClaw: HTTP scope bypass enables model enumeration	openclaw	—
UNKNOWN	CVE-2026-35029	LiteLLM: auth bypass allows RCE and full takeover	litellm	—
MEDIUM	CVE-2026-33709	JupyterHub: open redirect enables post-login phishing		—
HIGH	CVE-2026-35175	Ajenti: missing authz lets any user install packages		—
UNKNOWN	CVE-2026-34940	KubeAI: RCE via shell injection in Ollama startup probe		—
UNKNOWN	CVE-2026-30823	Flowise: IDOR enables account takeover and SSO bypass	flowise	—
MEDIUM	CVE-2026-33865	MLflow: stored XSS via MLmodel YAML artifact upload	mlflow	—
HIGH	CVE-2026-34511	OpenClaw: PKCE verifier leak enables OAuth token theft	openclaw	—
MEDIUM	GHSA-83f3-hh45-vfw9	OpenClaw: cleartext WebSocket exposes gateway credentials	openclaw	—
MEDIUM	GHSA-5hff-46vh-rxmw	OpenClaw: read-only scope bypass kills agent sessions	openclaw	—
MEDIUM	GHSA-3q42-xmxv-9vfr	openclaw: privilege escalation to admin voice config persistence	openclaw	—
MEDIUM	GHSA-h2v7-xc88-xx8c	openclaw: operator scope bypass in phone arm/disarm cmds	openclaw	—
HIGH	GHSA-69x8-hrgq-fjj8	LiteLLM: auth bypass chain enables full privilege escalation	litellm	—
HIGH	GHSA-jf56-mccx-5f3f	OpenClaw: wake hook trust violation elevates to System prompt	openclaw	—
LOW	GHSA-4f8g-77mw-3rxc	OpenClaw: gateway auth expands read to write privilege	openclaw	—
MEDIUM	GHSA-67mf-f936-ppxf	OpenClaw: scope misconfiguration enables unauthorized node pairing	openclaw	—
MEDIUM	GHSA-5h3f-885m-v22w	openclaw: WS sessions persist after gateway token rotation	openclaw	—
LOW	GHSA-25wv-8phj-8p7r	OpenClaw: auth rate-limit bypass via async race condition	openclaw	—
HIGH	GHSA-5wj5-87vq-39xm	openclaw: auth bypass enables exec escalation on reconnect	openclaw	—
MEDIUM	GHSA-vc32-h5mq-453v	OpenClaw: cross-channel allowlist write bypass	openclaw	—
MEDIUM	GHSA-68x5-xx89-w9mm	OpenClaw: stale auth closure bypasses gateway access control	openclaw	—
MEDIUM	GHSA-whf9-3hcx-gq54	OpenClaw: token rotation bypasses role approval	openclaw	—
MEDIUM	CVE-2026-35646	openclaw: webhook rate-limit bypass enables token brute-force	openclaw	—
HIGH	GHSA-f6hc-c5jr-878p	Flowise: auth bypass enables account takeover via null token	flowise	—
HIGH	GHSA-x5w6-38gp-mrqh	Flowise: HTTP reset link exposes tokens to MITM takeover	flowise	—
CRITICAL	GHSA-9wc7-mj3f-74xv	Flowise CSVAgent: RCE via Python code injection	flowise-components	—
MEDIUM	GHSA-w6v6-49gh-mc9w	Flowise: path traversal allows arbitrary file write via vector store	flowise-components	—
UNKNOWN	CVE-2026-42203	LiteLLM: SSTI in prompt template endpoint enables RCE	litellm	—
HIGH	CVE-2026-44504	Aegra: cross-tenant IDOR hijacks user thread data	aegra-api	—
MEDIUM	CVE-2025-61669	jupyter-server: Open redirect enables credential phishing	jupyter-server	—
UNKNOWN	CVE-2026-42232	n8n: XML Node prototype pollution → RCE	n8n	—
UNKNOWN	CVE-2026-42226	n8n: IDOR exposes cross-user API key exfiltration	n8n	—
UNKNOWN	CVE-2026-42234	n8n: Python sandbox escape enables container RCE	n8n	—
UNKNOWN	CVE-2026-42227	n8n: IDOR leaks cross-project variables via API key	n8n	—
MEDIUM	GHSA-h2vw-ph2c-jvwf	OpenClaw: env injection exposes MiniMax API key	openclaw	—
LOW	GHSA-v8qf-fr4g-28p2	OpenClaw: auth scope bypass exposes assistant-media files	openclaw	—
LOW	GHSA-xrq9-jm7v-g9h7	OpenClaw: auth bypass enables cross-device session hijack	openclaw	—
HIGH	GHSA-v4p8-mg3p-g94g	litellm: RCE via MCP test endpoints privilege bypass	litellm	—
HIGH	GHSA-xqmj-j6mv-4862	LiteLLM: RCE via unsandboxed prompt template rendering	litellm	—
HIGH	GHSA-2gvc-4f3c-2855	OpenClaw: auth bypass lets DM senders run room commands	openclaw	—