AI Threat Alert
Cloud Service Discovery
Adversaries may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), or AI-as-a-service (AIaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, AI Inference, Generative AI, Agentic AI, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity. They may use tools to check credentials and enumerate the AI models available in various AIaaS providers' environments including AI21 Labs, Anthropic, AWS Bedrock, Azure, ElevenLabs, MakerSuite, Mistral, OpenAI, OpenRouter, and GCP Vertex AI [\[1\]][1]. [1]: https://www.sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-2828 | LangChain RequestsToolkit: SSRF exposes cloud metadata | langchain | 10.0 |
| CRITICAL | CVE-2025-53767 | Azure OpenAI: SSRF EoP, no auth required (CVSS 10) | azure_openai | 10.0 |
| CRITICAL | CVE-2025-54381 | BentoML: unauthenticated SSRF via file upload URLs | bentoml | 9.9 |
| HIGH | CVE-2026-34955 | PraisonAI: sandbox escape via shell=True blocklist bypass | praisonai | 8.8 |
| HIGH | CVE-2026-28416 | gradio: SSRF allows internal network access | gradio | 8.6 |
| HIGH | CVE-2026-39974 | n8n-MCP: SSRF exposes cloud metadata via MCP headers | 8.5 | |
| HIGH | CVE-2026-26286 | sillytavern: SSRF allows internal network access | 8.5 | |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |
| HIGH | CVE-2025-65958 | open-webui: SSRF allows internal network access | open-webui | 8.5 |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2026-27826 | mcp-atlassian: SSRF allows internal network access | mcp-atlassian | 8.2 |
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| HIGH | CVE-2024-3095 | LangChain: SSRF in Web Retriever exposes cloud metadata | langchain | 7.7 |
| HIGH | CVE-2026-22219 | chainlit: SSRF allows internal network access | chainlit | 7.7 |
| HIGH | CVE-2026-34936 | PraisonAI: SSRF via api_base steals cloud IAM credentials | praisonai | 7.7 |
| HIGH | CVE-2024-7959 | Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets | open-webui | 7.7 |
| HIGH | CVE-2026-40114 | PraisonAI: unauthenticated SSRF via unvalidated webhook_url | PraisonAI | 7.2 |
| HIGH | CVE-2025-6242 | vLLM: SSRF in media loader exposes internal network | vllm | 7.1 |
| HIGH | CVE-2026-24779 | vllm: SSRF allows internal network access | vllm | 7.1 |
| HIGH | GHSA-xhmj-rg95-44hv | Flowise: SSRF bypass exposes cloud IAM credentials | flowise-components | 7.1 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |
| MEDIUM | CVE-2026-3340 | IBM Langflow: SSRF enables internal network enumeration | langflow | 6.5 |
| MEDIUM | CVE-2025-68477 | langflow: SSRF allows internal network access | langflow | 6.5 |
| MEDIUM | CVE-2025-67743 | local-deep-research: SSRF allows internal network access | 6.3 | |
| MEDIUM | CVE-2025-52967 | MLflow: unauthenticated SSRF in gateway proxy | mlflow | 5.8 |
| MEDIUM | CVE-2026-34753 | vLLM: SSRF in batch API exposes cloud metadata endpoints | vllm | 5.4 |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| UNKNOWN | CVE-2026-33401 | Wallos: SSRF allows internal network access | — | |
| MEDIUM | GHSA-9hrv-gvrv-6gf2 | Flowise: SSRF bypass enables cloud metadata access | flowise-components | — |
| UNKNOWN | CVE-2024-1183 | Gradio: SSRF enables internal network port scanning | gradio | — |
| UNKNOWN | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | — | |
| UNKNOWN | CVE-2024-12775 | Dify: SSRF via custom tool URL enables credential theft | — |