AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-4993: A vulnerability has been found in wandb OpenUI up to 0.0.0.0/1.0. This impacts an unknown function of the file backend/o

lowvulnerability

security

Source: NVD/CVE DatabaseMarch 28, 2026CVE-2026-4993

Summary

A vulnerability (CVE-2026-4993) was found in wandb OpenUI up to version 1.0 where manipulating the LITELLM_MASTER_KEY argument in the backend/openui/config.py file can expose hard-coded credentials (passwords stored directly in the code). This vulnerability requires local access to exploit and has already been publicly disclosed, though the vendor did not respond to early notification.

Vulnerability Details

CVSS Score

3.3(low)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

local

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

March 28, 2026

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-259 CWE-798

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

First tracked: March 28, 2026 at 08:07 AM

Classified by LLM (prompt v3) · confidence: 75%