AI Threat Alert
ATLAS Landscape
AML.T0040
AI Model Inference API Access
Adversaries may gain access to a model via legitimate access to the inference API. Inference API access can be a source of information to the adversary ([Discover AI Model Ontology](/techniques/AML.T0013), [Discover AI Model Family](/techniques/AML.T0014)), a means of staging the attack ([Verify Attack](/techniques/AML.T0042), [Craft Adversarial Data](/techniques/AML.T0043)), or for introducing data to the target system for Impact ([Evade AI Model](/techniques/AML.T0015), [Erode AI Model Integrity](/techniques/AML.T0031)). Many systems rely on the same models provided via an inference API, which means they share the same vulnerabilities. This is especially true of foundation models which are prohibitively resource intensive to train. Adversaries may use their access to model APIs to identify vulnerabilities such as jailbreaks or hallucinations and then target applications that use the same models.
137 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-53767 | Azure OpenAI: SSRF EoP, no auth required (CVSS 10) | azure_openai | 10.0 |
| CRITICAL | CVE-2020-15196 | TensorFlow: heap OOB read in sparse/ragged count ops | tensorflow | 9.9 |
| CRITICAL | CVE-2025-54381 | BentoML: unauthenticated SSRF via file upload URLs | bentoml | 9.9 |
| CRITICAL | CVE-2024-52384 | Sage AI Plugin: unrestricted upload → web shell RCE | 9.9 | |
| CRITICAL | CVE-2023-3686 | QuickAI: unauthenticated SQLi exposes OpenAI API keys | quickai_openai | 9.8 |
| CRITICAL | CVE-2026-25960 | vllm: SSRF allows internal network access | vllm | 9.8 |
| CRITICAL | CVE-2024-9053 | vllm: RCE via unsafe pickle deserialization in RPC server | vllm | 9.8 |
| CRITICAL | CVE-2022-41900 | TensorFlow: heap OOB RCE in FractionalMaxPool op | tensorflow | 9.8 |
| CRITICAL | CVE-2023-25664 | TensorFlow: heap overflow in AvgPoolGrad, RCE risk | tensorflow | 9.8 |
| CRITICAL | CVE-2020-15208 | TFLite: OOB read/write via tensor dimension mismatch | tensorflow | 9.8 |
| CRITICAL | CVE-2026-42208 | LiteLLM: SQL injection exposes LLM API credentials | litellm | 9.8 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| CRITICAL | CVE-2026-30824 | Flowise: auth bypass exposes NVIDIA NIM container endpoints | flowise | 9.8 |
| CRITICAL | CVE-2026-22778 | vllm: security flaw enables exploitation | vllm | 9.8 |
| CRITICAL | CVE-2024-47871 | Gradio: cleartext MITM exposes ML demo data via share=True | gradio | 9.1 |
| CRITICAL | CVE-2022-35938 | TensorFlow: OOB read in GatherNd causes crash/data leak | tensorflow | 9.1 |
| CRITICAL | CVE-2026-35030 | LiteLLM: auth bypass via JWT cache key collision | litellm | 9.1 |
| CRITICAL | CVE-2026-21445 | langflow: Missing Auth allows unauthenticated access | langflow | 9.1 |
| HIGH | CVE-2022-23574 | TensorFlow: heap OOB read/write enables network RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-21727 | TensorFlow: Dequantize integer overflow, RCE risk | tensorflow | 8.8 |
| HIGH | GHSA-mcmc-2m55-j8jj | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2020-15195 | TensorFlow: heap overflow in sparse gradient op | tensorflow | 8.8 |
| HIGH | CVE-2025-62164 | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2025-9141 | vLLM: RCE via eval() in Qwen3 Coder tool parser | vllm | 8.8 |
| HIGH | CVE-2024-37032 | Ollama: path traversal enables RCE via model blob API | ollama | 8.8 |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| HIGH | CVE-2026-26286 | sillytavern: SSRF allows internal network access | 8.5 | |
| HIGH | CVE-2024-7039 | open-webui: Privilege bypass enables admin account deletion | open-webui | 8.3 |
| HIGH | CVE-2026-1117 | lollms: Access Control bypass enables privilege escalation | lollms | 8.2 |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| HIGH | CVE-2024-35199 | TorchServe: default gRPC exposure allows unauth inference | torchserve | 8.2 |
| HIGH | CVE-2024-4888 | litellm: arbitrary file deletion via audio endpoint | litellm | 8.1 |
| HIGH | CVE-2022-23592 | TensorFlow: heap OOB read in type inference engine | tensorflow | 8.1 |
| HIGH | CVE-2025-0628 | litellm: privilege escalation viewer→proxy admin via bad API key | litellm | 8.1 |
| HIGH | CVE-2024-47870 | Gradio: race condition enables backend URL hijacking | gradio | 8.1 |
| HIGH | CVE-2024-0453 | WordPress ChatBot: missing authz deletes OpenAI files | wpbot | 7.7 |
| HIGH | CVE-2024-7959 | Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets | open-webui | 7.7 |
| HIGH | CVE-2024-0452 | WordPress AI ChatBot: auth bypass enables OpenAI file upload | wpbot | 7.7 |
| HIGH | CVE-2026-34936 | PraisonAI: SSRF via api_base steals cloud IAM credentials | praisonai | 7.7 |
| HIGH | CVE-2026-44555 | open-webui: access control bypass via model chaining | open-webui | 7.6 |
| HIGH | CVE-2024-7714 | AYS ChatGPT WP Plugin: auth bypass disables AI service | 7.5 | |
| HIGH | CVE-2024-6587 | LiteLLM: SSRF leaks OpenAI API key to attacker | litellm | 7.5 |
| HIGH | CVE-2024-8768 | vLLM: unauthenticated DoS via empty completion prompt | 7.5 | |
| HIGH | CVE-2026-40116 | PraisonAI: unauth WebSocket drains OpenAI API credits | praisonai | 7.5 |
| HIGH | CVE-2026-0599 | text-generation: DoS causes service disruption | 7.5 | |
| HIGH | CVE-2020-5215 | TensorFlow: type confusion DoS crashes eager mode inference | tensorflow | 7.5 |
| HIGH | CVE-2025-15514 | ollama: security flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2022-35934 | TensorFlow: tf.reshape DoS via integer overflow | tensorflow | 7.5 |
| HIGH | CVE-2025-59425 | vLLM: timing attack enables API key bypass | vllm | 7.5 |
| HIGH | CVE-2025-55558 | PyTorch: Inductor compiler buffer overflow causes DoS | pytorch | 7.5 |
| HIGH | CVE-2022-35935 | TensorFlow: DoS via SobolSample CHECK-failure | tensorflow | 7.5 |
| HIGH | CVE-2022-35971 | TensorFlow: DoS via invalid quantization tensor rank | tensorflow | 7.5 |
| HIGH | CVE-2022-35973 | TensorFlow: DoS via QuantizedMatMul input validation | tensorflow | 7.5 |
| HIGH | CVE-2022-35981 | TensorFlow: DoS via FractionalMaxPoolGrad assertion | tensorflow | 7.5 |
| HIGH | CVE-2022-35986 | TensorFlow: RaggedBincount DoS crashes inference server | tensorflow | 7.5 |
| HIGH | CVE-2022-36026 | TensorFlow: DoS via QuantizeAndDequantizeV3 CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2022-35993 | TensorFlow: DoS via malformed SetSize tensor shape | tensorflow | 7.5 |
| HIGH | CVE-2022-36003 | TensorFlow: DoS via RandomPoissonV2 large input | tensorflow | 7.5 |
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2022-36016 | TensorFlow: CHECK-fail assertion crashes model serving | tensorflow | 7.5 |
| HIGH | CVE-2022-36017 | TensorFlow: DoS via malformed Requantize tensors | tensorflow | 7.5 |
| HIGH | CVE-2024-34527 | SolidUI: OpenAI API key exposed via log print statement | 7.5 | |
| HIGH | CVE-2025-46722 | vLLM: image hash collision enables multimodal cache leakage | vllm | 7.3 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| HIGH | CVE-2026-44567 | Open WebUI: auth bypass gives pending users full LLM access | open-webui | 7.3 |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| HIGH | CVE-2021-29582 | TensorFlow: OOB heap read via Dequantize shape mismatch | tensorflow | 7.1 |
| HIGH | CVE-2026-24779 | vllm: SSRF allows internal network access | vllm | 7.1 |
| HIGH | CVE-2025-6242 | vLLM: SSRF in media loader exposes internal network | vllm | 7.1 |
| HIGH | CVE-2021-29560 | TensorFlow: heap OOB in RaggedTensorToTensor op | tensorflow | 7.1 |
| HIGH | CVE-2021-29532 | TensorFlow: heap OOB read via RaggedCross op | tensorflow | 7.1 |
| HIGH | CVE-2020-15193 | TensorFlow: uninitialized memory corruption via dlpack | tensorflow | 7.1 |
| HIGH | CVE-2026-44556 | open-webui: auth bypass allows unrestricted model access | open-webui | 7.1 |
| MEDIUM | CVE-2024-28224 | Ollama: DNS rebinding exposes LLM API to remote access | ollama | 6.6 |
| MEDIUM | CVE-2025-14980 | BetterDocs: Info Disclosure leaks sensitive data | 6.5 | |
| MEDIUM | CVE-2022-21731 | TensorFlow: ConcatV2 type confusion enables remote DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2025-62372 | vllm: security flaw enables exploitation | vllm | 6.5 |
| MEDIUM | CVE-2025-61620 | vllm: DoS via Jinja template injection in chat API | vllm | 6.5 |
| MEDIUM | CVE-2025-13922 | AI component: SQL Injection exposes database | 6.5 | |
| MEDIUM | CVE-2026-30886 | AI component: IDOR enables unauthorized data access | 6.5 | |
| MEDIUM | CVE-2022-23564 | TensorFlow: DoS via reachable assertion in protobuf decode | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21737 | TensorFlow: DoS via malformed Bincount arguments | tensorflow | 6.5 |
| MEDIUM | CVE-2026-44222 | vLLM: token injection DoS via multimodal placeholders | vllm | 6.5 |
| MEDIUM | CVE-2024-2206 | Gradio: SSRF exposes internal HuggingFace endpoints | gradio | 6.5 |
| MEDIUM | CVE-2025-68477 | langflow: SSRF allows internal network access | langflow | 6.5 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| MEDIUM | CVE-2025-29770 | vLLM: DoS via unbounded grammar cache exhausts disk | vllm | 6.5 |
| MEDIUM | CVE-2026-44560 | open-webui: RAG auth bypass exposes private files | open-webui | 6.5 |
| MEDIUM | CVE-2025-62426 | vllm: Resource Exhaustion enables DoS | vllm | 6.5 |
| MEDIUM | GHSA-hf3c-wxg2-49q9 | vLLM: DoS via unbounded XGrammar schema cache | vllm | 6.5 |
| MEDIUM | CVE-2025-48942 | vLLM: DoS via malformed JSON schema guided param | vllm | 6.5 |
| MEDIUM | CVE-2025-48943 | vLLM: ReDoS crashes inference server via malformed regex | vllm | 6.5 |
| MEDIUM | CVE-2026-34756 | vLLM: DoS via unbounded n parameter causes OOM crash | vllm | 6.5 |
| MEDIUM | CVE-2024-13698 | Jobify WP: missing authz allows OpenAI key abuse, SSRF | 6.5 | |
| MEDIUM | CVE-2024-11896 | WP Text Prompter: Stored XSS in OpenAI shortcode plugin | 6.4 | |
| MEDIUM | CVE-2025-6716 | Contest Gallery WP Plugin: Stored XSS in OpenAI integration | 6.4 | |
| MEDIUM | CVE-2026-5530 | Ollama: SSRF in Model Pull API enables network pivot | 6.3 | |
| MEDIUM | CVE-2026-5803 | openai-realtime-ui: SSRF in API proxy endpoint | 6.3 | |
| MEDIUM | CVE-2024-8939 | ilab/vllm: best_of param causes inference API DoS | 6.2 | |
| MEDIUM | CVE-2026-7141 | vllm: uninitialized KV cache memory leaks inference data | vllm | 5.6 |
| MEDIUM | CVE-2023-1651 | AI ChatBot WP: auth bypass exposes OpenAI config + XSS | wpbot | 5.4 |
| MEDIUM | CVE-2025-45809 | LiteLLM: SQL injection in key management API | litellm | 5.4 |
| MEDIUM | CVE-2026-34753 | vLLM: SSRF in batch API exposes cloud metadata endpoints | vllm | 5.4 |
| MEDIUM | CVE-2026-44563 | open-webui: auth bypass exposes restricted LLM models | open-webui | 5.4 |
| MEDIUM | CVE-2025-46153 | PyTorch: Dropout inconsistency enables membership inference | pytorch | 5.3 |
| MEDIUM | GHSA-26jh-r8g2-6fpr | Gradio: Dropdown validation bypass enables arbitrary input | gradio | 5.3 |
| MEDIUM | CVE-2023-34094 | ChuanhuChatGPT: config exposure leaks API keys | chuanhuchatgpt | 5.3 |
| MEDIUM | CVE-2026-2589 | Greenshift: Info Disclosure leaks sensitive data | 5.3 | |
| MEDIUM | CVE-2024-6845 | ChatGPT WP Plugin: OpenAI API key leak via unauth REST | 5.3 | |
| MEDIUM | CVE-2026-39411 | LobeChat: auth bypass via forged XOR obfuscated header | @lobehub/lobehub | 5.0 |
| MEDIUM | CVE-2024-0451 | wpbot: missing auth exposes OpenAI account files | wpbot | 5.0 |
| MEDIUM | CVE-2025-12732 | AI component: Info Disclosure leaks sensitive data | 4.3 | |
| MEDIUM | CVE-2025-12360 | Better: security flaw enables exploitation | 4.3 | |
| MEDIUM | CVE-2025-60511 | Moodle: IDOR enables unauthorized data access | 4.3 | |
| MEDIUM | CVE-2025-31843 | OpenAI WP Plugin: broken access control on AI settings | 4.3 | |
| MEDIUM | CVE-2024-7045 | open-webui: missing authz exposes admin prompts | open-webui | 4.3 |
| MEDIUM | CVE-2026-6393 | BetterDocs: Auth bypass drains OpenAI API quota | 4.3 | |
| MEDIUM | CVE-2025-68492 | chainlit: IDOR enables unauthorized data access | chainlit | 4.2 |
| LOW | CVE-2025-5320 | Gradio: CORS origin bypass in ML UI handler | gradio | 3.7 |
| LOW | CVE-2024-47869 | Gradio: timing attack exposes analytics dashboard auth | gradio | 3.7 |
| LOW | CVE-2026-4993 | OpenUI: hard-coded LiteLLM master key credential leak | 3.3 | |
| LOW | CVE-2025-25183 | vLLM: hash collision enables prefix cache poisoning | vllm | 2.6 |
| LOW | CVE-2025-1953 | vLLM AIBrix: weak hash in prefix cache leaks inference patterns | 2.6 | |
| LOW | CVE-2025-46570 | vLLM: timing side-channel leaks prompt cache data | vllm | 2.6 |
| UNKNOWN | CVE-2026-33401 | Wallos: SSRF allows internal network access | — | |
| UNKNOWN | CVE-2025-11203 | LiteLLM: Info Disclosure leaks sensitive data | — | |
| UNKNOWN | CVE-2024-11037 | gpt_academic: path traversal exposes LLM API keys | gpt_academic | — |
| MEDIUM | GHSA-68f8-9mhj-h2mp | OpenClaw: HTTP scope bypass enables model enumeration | openclaw | — |
| UNKNOWN | CVE-2024-56516 | free-one-api: MD5 hashing allows credential cracking | — | |
| HIGH | GHSA-xqmj-j6mv-4862 | LiteLLM: RCE via unsandboxed prompt template rendering | litellm | — |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | — | |
| UNKNOWN | CVE-2026-25083 | GROWI: Missing Auth allows unauthorized operations | — | |
| UNKNOWN | CVE-2024-1729 | Gradio: timing attack enables auth bypass on ML UIs | gradio | — |
| CRITICAL | GHSA-r75f-5x8p-qvmc | litellm: SQLi exposes all managed LLM API credentials | litellm | — |
| UNKNOWN | CVE-2026-4399 | 1millionbot Millie: Boolean prompt injection bypasses restrictions | — | |
| HIGH | GHSA-69x8-hrgq-fjj8 | LiteLLM: auth bypass chain enables full privilege escalation | litellm | — |
| LOW | CVE-2025-63681 | open-webui: Access Control bypass enables privilege escalation | open-webui | — |