CVE-2025-6920

EPSS 0.05%
Published 01.07.2025 13:16:17
Last modified 18.08.2025 19:07:43
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/* endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows unauthorized users to access the same inference features available on protected endpoints, potentially exposing sensitive functionality or allowing unintended access to backend resources.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Ai Inference Server Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.162

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://access.redhat.com/security/cve/CVE-2025-6920

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2375522

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-6920

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-6920

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-6920

EUVD