INFRASTRUCTURE
(18)18 hack(s).
vLLM SSRF: when the allowlist patch carried the same parser bug
Two vLLM advisories show the same flaw twice: a host allowlist validated with one URL parser and fetched with another. The fix swapped the parser pair and reopened the bypass.
RAGFlow CVE-2026-45312: a prompt template that runs OS commands
A Jinja2 template injection in RAGFlow's prompt generator turns a user-controlled prompt field into server-side RCE. CVSS 9.9, disclosed May 9, 2026.
LangChain Core path traversal: legacy load_prompt reads arbitrary files
CVE-2026-34070 lets crafted prompt configs walk LangChain's filesystem via load_prompt, exposing .txt/.json/.yaml secrets. Disclosed March 27, 2026, fixed in langchain-core 1.2.22.
The serving layer is the attack surface: concurrency bugs in vLLM and SGLang
A May 2026 fuzzer, GRIEF, treats concurrent request traces as inputs and finds 15 serving-layer bugs (2 CVEs) in vLLM and SGLang: cross-request output contamination, noisy-neighbor DoS, and delayed crashes — no malformed input required.
LiteLLM CVE-2026-49468: a Host-header auth bypass in the gateway's own routing
Disclosed June 17, 2026, CVE-2026-49468 lets a crafted Host header desync LiteLLM's auth route from the route FastAPI runs — an app-layer repeat of BadHost, fixed in LiteLLM 1.84.0.
LiteLLM CVE-2026-47101→40217: low-privilege user to admin and RCE
Obsidian Security disclosed a three-bug LiteLLM chain (June 2026) that walks a default low-privilege user up to proxy_admin and remote code execution — a CVSS 9.9 takeover of the AI gateway.
Langflow CVE-2026-5027: unauthenticated file write to RCE under active attack
A path traversal in Langflow's /api/v2/files endpoint lets an unauthenticated request write files anywhere on disk. VulnCheck confirmed in-the-wild exploitation on June 9, 2026; ~7,000 instances are exposed.
Exposed MCP Servers Become Cloud Takeover Pivots
Command injection in cloud MCP servers (CVE-2026-5058/5059) lets attackers reach the instance metadata service, steal the IAM role, and pivot into the whole cloud account.
Multimodal input as attack surface: vLLM's video-decoder RCE (CVE-2026-22778)
CVE-2026-22778 turns a malicious video URL into remote code execution on vLLM servers, chaining a PIL info leak with an FFmpeg JPEG2000 heap overflow. Patched in 0.14.1.
ChromaToast: a pre-auth RCE in the ChromaDB vector database
HiddenLayer's May 18, 2026 disclosure (CVE-2026-45829, CVSS 10.0) shows ChromaDB's Python server loads an attacker's HuggingFace model and runs its code before it ever checks authentication.
LiteLLM CVE-2026-42271: MCP test endpoints chain to unauthenticated RCE
Disclosed in April as an authenticated command injection, LiteLLM's MCP preview endpoints became unauthenticated RCE once chained with Starlette's BadHost bypass — CISA added it to KEV on June 8, 2026.
Langflow's public build endpoint: unauthenticated RCE weaponised in 20 hours
CVE-2026-33017 turns Langflow's public flow-build endpoint into unauthenticated remote code execution. Disclosed March 17, 2026, it was exploited in the wild within 20 hours — before any public PoC existed.
SGLang's ZMQ broker: unauthenticated RCE via pickle deserialization
Three CVEs disclosed March 12, 2026 turn SGLang's pickle.loads() calls into unauthenticated remote code execution. The fix landed in v0.5.10 — but the real lesson is that pickle on a network socket is RCE by design.
LightLLM CVE-2026-26220: pickle on a WebSocket the server forces onto the network
CVE-2026-26220 (disclosed Feb 15, 2026) puts pickle.loads() on two unauthenticated WebSocket endpoints in LightLLM's prefill-decode mode — and the server refuses to bind to localhost, so the surface is always remote.
MCPwn (CVE-2026-33032): nginx-ui MCP endpoint hands over the web server
An unauthenticated MCP endpoint in nginx-ui ≤ 2.3.3 lets any network attacker rewrite nginx configs and restart the service. CVSS 9.8, publicly disclosed on April 15, 2026, exploited in the wild within hours of the patch.
BadHost (CVE-2026-48710): one Host-header character bypasses auth in Starlette, vLLM and FastMCP
X41 D-Sec disclosed on May 22, 2026 a critical auth bypass in Starlette < 1.0.1. A single / ? or # in the HTTP Host header desynchronises the routed path from the path the middleware sees, breaking path-based authorization in vLLM, LiteLLM, FastMCP and thousands of FastAPI-based AI agents.
LiteLLM CVE-2026-42208: a pre-auth SQL injection in the AI gateway
Disclosed April 20, 2026 and exploited 36 hours after the global advisory dropped, CVE-2026-42208 turns LiteLLM's Authorization header into a direct read on every provider key the proxy fronts.
LMDeploy SSRF: when an image loader turns into an AI-infrastructure hijack
CVE-2026-33626 turned LMDeploy's load_image() into a generic SSRF primitive. Honeypots saw the first weaponised exploit 12 hours and 31 minutes after the advisory went live.