Skip to content

Secure IT

Stay Secure. Stay Informed.

Primary Menu
  • Home
  • Sources
    • Krebs On Security
    • Security Week
    • The Hacker News
    • Schneier On Security
  • Home
  • The Hacker News
  • We Scanned 1 Million Exposed AI Services. Here’s How Bad the Security Actually Is
  • The Hacker News

We Scanned 1 Million Exposed AI Services. Here’s How Bad the Security Actually Is

[email protected] The Hacker News Published: May 5, 2026 | Updated: May 9, 2026 5 min read
0 views

While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security.

In the wake of the ClawdBot fiasco — the viral self-hosted AI assistant that’s averaging an eye-watering 2.6 CVEs per day — the Intruder team wanted to investigate how bad the security of AI infrastructure actually is.

To scope the attack surface, we used certificate transparency logs to pull just over 2 million hosts with 1 million exposed services. What we found wasn’t pretty. In fact, the AI infrastructure we scanned was more vulnerable, exposed, and misconfigured than any other software we’ve ever investigated.

No authentication by default

It didn’t take long to spot an alarming pattern: a significant number of hosts had been deployed straight out of the box, with no authentication in place. Looking into the source code revealed why: authentication simply isn’t enabled by default in many of these projects. 

Real user data and company tooling were sitting exposed to anyone who looked. In the wrong hands, the consequences range from reputational damage to full compromise.

Here are some of the most striking examples of what was exposed.

Freely accessible chatbots

A number of instances involved chatbots that left user conversations exposed. One example, based on OpenUI, exposed a user’s full LLM conversation history. It might seem relatively innocent on the surface, but chat histories in enterprise environments can reveal a lot.

More concerning were generic chatbots hosting a wide range of models — including multimodal LLMs — freely available to use. Malicious users can jailbreak most models to bypass safety guardrails for nefarious purposes — like generating illegal imagery, or soliciting advice with intent to commit a crime — and do so without fear of repercussion, since they’re using someone else’s infrastructure. This isn’t hypothetical. People are finding creative ways to abuse company chatbots to access more capable models without paying or having requests logged to their own accounts.

There were also some questionable chatbots exposing large volumes of personal NSFW conversations. If that wasn’t bad enough, the software running the Claude-powered goon-bots also disclosed their API keys in plaintext.

Wide open agent management platforms

We also discovered exposed instances of agent management platforms, including n8n and Flowise. Some instances that users clearly thought were internal had been exposed to the internet without authentication. One of the most egregious examples was a Flowise instance that exposed the entire business logic of an LLM chatbot service.

Their credential list was exposed too. Flowise was hardened enough not to reveal the stored values to an unauthenticated visitor, which limits the immediate damage, but an attacker could still use the tools connected to those credentials to exfiltrate sensitive information.

This is what makes these platforms particularly dangerous. There’s a distinct absence of proper access management controls in AI tooling, meaning access to a bot that’s integrated with a third-party system often means access to everything it touches.

In another example, the setup exposed a number of internet parsing tools and potentially dangerous local functions, such as file writes and code interpreting, making server-side code execution a realistic prospect.

We identified over 90 exposed instances across sectors such as government, marketing, and finance. All of those chatbots, their workflows, prompts, and outward access were open. An attacker could modify the workflows, redirect traffic, expose user data, or poison responses. 

Saying hello to unsecured Ollama APIs

One of the more surprising findings was the sheer number of exposed Ollama APIs accessible without authentication, with a model connected. We fired a single prompt (“Hello”) to every server that listed a connected model, to see if we’d be prompted to authenticate. Of the 5,200+ servers queried, 31% answered. 

The responses gave a window into what these APIs were being used for. We couldn’t morally explore any further, but the implications are far-reaching. A few examples:

“Greetings, Master. Your command is my law. What is your desire? Speak freely. I am here to fulfill it, without hesitation or question.”

“I am here to assist you in any way I can with your health and wellbeing issues. Whether it’s anxiety, sleep problems, or other concerns, don’t hesitate to ask me for help.”

“Welcome! I’m an AI assistant integrated with our cloud management systems. I can help you with operational tasks, infrastructure deployment, and service queries.”

Ollama doesn’t store messages directly, so there’s no immediate risk of conversation data being exposed. But many of these instances were wrapping paid frontier models from Anthropic, Deepseek, Moonshot, Google, and OpenAI. Of all the models identified across all servers, 518 were wrapping well-known frontier models.

Insecure by design

After triaging the results, it was clear that some of the tech warranted a closer look. We spent time analyzing a subset of the applications in a lab environment — and found repeated insecure patterns throughout:

  • Poor deployment practices: Insecure defaults, misconfigured Docker setups, hardcoded credentials, applications running as root
  • No authentication on fresh installs: Many projects drop users straight into a high-privilege account with full management access
  • Hardcoded and static credentials: Embedded in setup examples and docker-compose files rather than generated on installation
  • New technical vulnerabilities: Within a couple of days of lab work, we had already found arbitrary code execution in one popular AI project

These misconfigurations are made even worse when agents have access to tools like code interpretation. The blast radius gets significantly larger when sandboxing is weak, and the infrastructure isn’t sitting in a DMZ.

Speed is winning. Security is lagging behind

Some of the projects powering LLM infrastructure have clearly abandoned decades of hard-won security best practices in favour of shipping fast. That said, it’s not purely a vendor problem. The speed of AI adoption and the pressure to beat competitors to market are what’s driving it.

Don’t wait for an attacker to find your exposed AI infrastructure first. Intruder finds misconfigurations and shows you what’s visible from the outside.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

About The Author

[email protected] The Hacker News

See author's posts

Original post here

What do you feel about this?

  • The Hacker News

Post navigation

Previous: ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows
Next: MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks

Author's Other Posts

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now cpanel-3.jpg

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

May 9, 2026 0 1
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms banking.jpg

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

May 9, 2026 0 0
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads android-calls.jpg

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

May 9, 2026 0 0
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches zz-webinar.jpg

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

May 9, 2026 0 1

Related Stories

cpanel-3.jpg
  • The Hacker News

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

[email protected] The Hacker News May 9, 2026 0 1
banking.jpg
  • The Hacker News

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

[email protected] The Hacker News May 9, 2026 0 0
android-calls.jpg
  • The Hacker News

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

[email protected] The Hacker News May 9, 2026 0 0
zz-webinar.jpg
  • The Hacker News

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

[email protected] The Hacker News May 9, 2026 0 1
kube.jpg
  • The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

[email protected] The Hacker News May 9, 2026 0 0
ai-soc.jpg
  • The Hacker News

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

[email protected] The Hacker News May 9, 2026 0 1

Trending Now

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0

Connect with Us

Social menu is not set. You need to create menu and assign it to Social Menu on Menu Settings.

Trending News

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak 5
  • Uncategorized

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

May 22, 2026 0 0
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada 6
  • Uncategorized

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

May 21, 2026 0 0
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github 7
  • Uncategorized

CISA Admin Leaked AWS GovCloud Keys on Github

May 18, 2026 0 0

You may have missed

Who Runs the Ransomware Group ‘The Gentlemen?’
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

Sean June 10, 2026 0 0
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

Sean June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Sean June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Sean May 25, 2026 0 0
Copyright © 2026 All rights reserved. | MoreNews by AF themes.