CVE-2025-6920

Name of the Vulnerable Software and Affected Versions: ai-inference-server (affected versions not specified)

Description: A flaw was found in the authentication enforcement mechanism of a model inference API. The issue affects the "/v1/*" endpoints, where API key validation is expected but not properly enforced, particularly in the "POST /invocations" endpoint. This results in an authentication bypass, allowing unauthorized users to access protected endpoints and potentially exposing sensitive functionality or allowing unintended access to backend resources.

Recommendations: As a temporary workaround, consider disabling the "POST /invocations" endpoint until a patch is available. Restrict access to the "/v1/*" endpoints to minimize the risk of exploitation. Avoid using the ai-inference-server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.