INFRASTRUCTURE
(33)33 hack(s).
One request, one crash: a reachable assertion downs vLLM servers
A prompt-embeds request aimed at a multimodal model in vLLM trips an internal assertion and fatally crashes the whole inference server — an authenticated denial of service fixed in July 2026.
An incomplete patch: memory-address leaks return in vLLM's newer API routes
The fix for vLLM's critical image-parsing flaw sanitized the OpenAI router — but routes added weeks later re-echo raw exception text, leaking heap addresses and reopening an ASLR-bypass primitive.
Langflow bulk-delete path traversal wipes arbitrary server directories
A path traversal in Langflow's Knowledge Bases delete API lets an authenticated user erase directories anywhere the process can write. Fixed in 1.9.0; versions 1.8.4 and earlier are exposed.
SSRF in Azure OpenAI: when a managed AI service becomes a privilege-escalation proxy
Microsoft disclosed a critical server-side request forgery flaw in Azure OpenAI on July 2, 2026. An authenticated user could coerce the managed service into reaching internal endpoints and escalate privileges over the network.
Crawl4AI's Docker API: when a browser-config field becomes unauthenticated RCE
A July 2026 flaw let a request field in a popular LLM web crawler smuggle Chromium launch switches and run commands on the host — no authentication, a single HTTP request, CVSS 10.0.
ServiceNow AI Platform: a sandbox escape allows unauthenticated code execution
On July 13, 2026, ServiceNow patched a critical sandbox escape in its AI Platform that lets an unauthenticated attacker run code on affected instances. It's a reminder that the sandbox around an AI feature is a security boundary — treat it like one.
Vector-store metadata filters are an injection sink in Spring AI
Spring AI passed user-controlled filter strings and document IDs straight into each backend's native query language, turning RAG metadata filtering into classic SQL and query injection across five vector stores.
Pickle over gRPC: unauthenticated RCE in a robot policy server
Hugging Face's LeRobot ran its robot-to-policy inference channel on pickle over unauthenticated gRPC — any host that reached the port got remote code execution. The June 2026 fix drops pickle entirely.
When the image loader becomes an SSRF: cloud metadata theft on vision-LLM nodes
A server-side request forgery in a popular open-source LLM serving toolkit let attackers turn a vision model's image loader into a scanner for cloud metadata and internal services — exploited within hours of disclosure.
vLLM structured outputs: one regex can freeze an inference worker
A July 2026 advisory shows vLLM's structured-outputs regex parameter compiled user patterns with no timeout, letting a single crafted request hang a worker and deny service. Fixed in 0.24.0.
LiteLLM's MCP test endpoints: command injection now under active exploitation
A command-injection flaw in LiteLLM's MCP test endpoints lets any proxy API key run host commands. Patched May 8, 2026, it entered the CISA KEV catalog on June 8 after confirmed in-the-wild exploitation.
Unauthenticated RCE in llama.cpp's distributed-inference RPC backend
A missing bounds check in llama.cpp's RPC backend lets any client with TCP access to the server port read and write process memory and reach remote code execution. Fixed in b8492.
Identifier-position SQL injection in Amazon's MCP gateway registry
A July 2026 advisory patched an authenticated SQL injection in Amazon's open-source MCP gateway registry, where an unsanitized table name in identifier position let a caller read stored agent API keys.
vLLM speech-to-text routes buffer the whole audio upload before the size check
A July 2026 advisory shows vLLM's transcription and translation endpoints read an entire uploaded audio file into memory before enforcing the size cap, letting a reachable caller trigger memory exhaustion.
Langflow's cross-tenant flow hijack: the 9.9 bug attackers ignored
Sysdig caught the first in-the-wild use of a Langflow flaw that lets one authenticated user run another tenant's flow — and its credentials. Scored higher than the RCE beside it, it was barely touched.
RAGFlow CVE-2026-45312: a prompt template that runs OS commands
A Jinja2 template injection in RAGFlow's prompt generator turns a user-controlled prompt field into server-side RCE. CVSS 9.9, disclosed May 9, 2026.
vLLM SSRF: when the allowlist patch carried the same parser bug
Two vLLM advisories show the same flaw twice: a host allowlist validated with one URL parser and fetched with another. The fix swapped the parser pair and reopened the bypass.
LangChain Core path traversal: legacy load_prompt reads arbitrary files
CVE-2026-34070 lets crafted prompt configs walk LangChain's filesystem via load_prompt, exposing .txt/.json/.yaml secrets. Disclosed March 27, 2026, fixed in langchain-core 1.2.22.
The serving layer is the attack surface: concurrency bugs in vLLM and SGLang
A May 2026 fuzzer, GRIEF, treats concurrent request traces as inputs and finds 15 serving-layer bugs (2 CVEs) in vLLM and SGLang: cross-request output contamination, noisy-neighbor DoS, and delayed crashes — no malformed input required.
LiteLLM CVE-2026-49468: a Host-header auth bypass in the gateway's own routing
Disclosed June 17, 2026, CVE-2026-49468 lets a crafted Host header desync LiteLLM's auth route from the route FastAPI runs — an app-layer repeat of BadHost, fixed in LiteLLM 1.84.0.
LiteLLM CVE-2026-47101→40217: low-privilege user to admin and RCE
Obsidian Security disclosed a three-bug LiteLLM chain (June 2026) that walks a default low-privilege user up to proxy_admin and remote code execution — a CVSS 9.9 takeover of the AI gateway.
Langflow CVE-2026-5027: unauthenticated file write to RCE under active attack
A path traversal in Langflow's /api/v2/files endpoint lets an unauthenticated request write files anywhere on disk. VulnCheck confirmed in-the-wild exploitation on June 9, 2026; ~7,000 instances are exposed.
ChromaToast: a pre-auth RCE in the ChromaDB vector database
HiddenLayer's May 18, 2026 disclosure (CVE-2026-45829, CVSS 10.0) shows ChromaDB's Python server loads an attacker's HuggingFace model and runs its code before it ever checks authentication.
Exposed MCP Servers Become Cloud Takeover Pivots
Command injection in cloud MCP servers (CVE-2026-5058/5059) lets attackers reach the instance metadata service, steal the IAM role, and pivot into the whole cloud account.
Multimodal input as attack surface: vLLM's video-decoder RCE (CVE-2026-22778)
CVE-2026-22778 turns a malicious video URL into remote code execution on vLLM servers, chaining a PIL info leak with an FFmpeg JPEG2000 heap overflow. Patched in 0.14.1.
LiteLLM CVE-2026-42271: MCP test endpoints chain to unauthenticated RCE
Disclosed in April as an authenticated command injection, LiteLLM's MCP preview endpoints became unauthenticated RCE once chained with Starlette's BadHost bypass — CISA added it to KEV on June 8, 2026.
Langflow's public build endpoint: unauthenticated RCE weaponised in 20 hours
CVE-2026-33017 turns Langflow's public flow-build endpoint into unauthenticated remote code execution. Disclosed March 17, 2026, it was exploited in the wild within 20 hours — before any public PoC existed.
SGLang's ZMQ broker: unauthenticated RCE via pickle deserialization
Three CVEs disclosed March 12, 2026 turn SGLang's pickle.loads() calls into unauthenticated remote code execution. The fix landed in v0.5.10 — but the real lesson is that pickle on a network socket is RCE by design.
LightLLM CVE-2026-26220: pickle on a WebSocket the server forces onto the network
CVE-2026-26220 (disclosed Feb 15, 2026) puts pickle.loads() on two unauthenticated WebSocket endpoints in LightLLM's prefill-decode mode — and the server refuses to bind to localhost, so the surface is always remote.
MCPwn (CVE-2026-33032): nginx-ui MCP endpoint hands over the web server
An unauthenticated MCP endpoint in nginx-ui ≤ 2.3.3 lets any network attacker rewrite nginx configs and restart the service. CVSS 9.8, publicly disclosed on April 15, 2026, exploited in the wild within hours of the patch.
BadHost (CVE-2026-48710): one Host-header character bypasses auth in Starlette, vLLM and FastMCP
X41 D-Sec disclosed on May 22, 2026 a critical auth bypass in Starlette < 1.0.1. A single / ? or # in the HTTP Host header desynchronises the routed path from the path the middleware sees, breaking path-based authorization in vLLM, LiteLLM, FastMCP and thousands of FastAPI-based AI agents.
LiteLLM CVE-2026-42208: a pre-auth SQL injection in the AI gateway
Disclosed April 20, 2026 and exploited 36 hours after the global advisory dropped, CVE-2026-42208 turns LiteLLM's Authorization header into a direct read on every provider key the proxy fronts.
LMDeploy SSRF: when an image loader turns into an AI-infrastructure hijack
CVE-2026-33626 turned LMDeploy's load_image() into a generic SSRF primitive. Honeypots saw the first weaponised exploit 12 hours and 31 minutes after the advisory went live.