AI & LLM Vulnerabilities

MCP Atlassian has a server-side request forgery (SSRF, where a server is tricked into making requests to unintended URLs) vulnerability that allows an unauthenticated attacker to force the server to make outbound HTTP requests to any URL by supplying two custom headers without proper validation. This could enable credential theft in cloud environments or allow attackers to probe internal networks and inject malicious content into AI tool results.

PinchTab is an HTTP server that lets AI agents control a Chrome browser. Before version 0.7.7, it had a Server-Side Request Forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making requests to places it shouldn't, like internal networks or local files) in its /download endpoint that let any user with API access make the server request arbitrary URLs and steal the responses.

WeKnora has a broken access control vulnerability (a security flaw where the application fails to properly check permissions) that lets any logged-in user from one tenant (a separate customer or organization) read sensitive data from other tenants' databases, including API keys (credentials for accessing external services), model configurations, and private messages. The problem happens because three database tables (messages, embeddings, models) are allowed to be queried but don't have automatic tenant filtering applied to them.

Flowise incorrectly whitelisted the NVIDIA NIM router (`/api/v1/nvidia-nim/*`) in its authentication middleware, allowing anyone to access sensitive endpoints without logging in. This lets attackers steal NVIDIA API tokens, manipulate Docker containers, and cause denial of service attacks without needing valid credentials.

Flowise has a critical IDOR (insecure direct object reference, a flaw where an app trusts user input to identify which data to access without checking permissions) vulnerability in its login configuration endpoint. An attacker with a free account can modify any organization's single sign-on settings by simply specifying a different organization ID, enabling account takeover by redirecting logins to attacker-controlled credentials and bypassing enterprise license restrictions.

A mass assignment vulnerability (a type of attack where an attacker controls internal fields by sending them in a request) exists in Flowise's `/api/v1/leads` endpoint, allowing unauthenticated users to override auto-generated fields like `id`, `createdDate`, and `chatId` by including them in the request body. The vulnerability occurs because the code uses `Object.assign()` to copy all properties from user input directly into the database entity without filtering, bypassing the intended auto-generation of these fields.

Flowise has a file upload vulnerability where the server only checks the `Content-Type` header (MIME type spoofing, pretending a file is one type when it's actually another) that users provide, instead of verifying what the file actually contains. Because the upload endpoint is whitelisted (allowed without authentication), an attacker can upload malicious files by claiming they're safe types like PDFs, leading to stored attacks or remote code execution (RCE, where attackers run commands on the server).

Flowise has a critical authorization bypass flaw in its `/api/v1` routes where the middleware trusts any request with the header `x-request-from: internal`, even though this header can be spoofed by any user. This allows a low-privilege authenticated tenant (someone with a valid browser cookie) to call internal administration endpoints, like API key creation and credential management, without proper permission checks, effectively escalating their privileges.

GitHub Copilot CLI had a vulnerability where attackers could execute arbitrary code by hiding dangerous commands inside bash parameter expansion patterns (special syntax for manipulating variables). The safety system that checks whether commands are safe would incorrectly classify these hidden commands as harmless, allowing them to run without user approval.

OpenChatBI is a chat-based business intelligence tool that uses large language models to help users analyze data through conversation. Before version 0.2.2, it had a critical path traversal vulnerability (CWE-22, a flaw that lets attackers access files outside their intended directory) in its save_report tool because it didn't properly check the file_format input parameter. This vulnerability had a CVSS score (severity rating) of 8.7, indicating it was high-risk.

OpenSift, an AI study tool that uses semantic search (finding information based on meaning rather than exact word matches) and generative AI to analyze large datasets, had a security vulnerability in versions before 1.6.3-alpha. The vulnerability was an SSRF (server-side request forgery, where an attacker tricks the server into making requests to unintended locations) that allowed attackers to bypass security checks by using private URLs, non-standard ports, or redirects that the URL intake system didn't properly restrict.

OpenSift is an AI study tool that uses semantic search (finding information based on meaning rather than exact keywords) and generative AI to analyze large datasets. Before version 1.6.3-alpha, the software had a path-injection vulnerability (a flaw where attackers could manipulate file paths to access files outside intended directories) in its file storage system, allowing potential unauthorized file read, write, or delete operations.