Detecting Critical AI Infrastructure Vulnerabilities with AI-Infra-Guard

Background

The rapid rise of open‑source LLMs (e.g., DeepSeek R1) has led many developers and enterprises to deploy models locally using tools such as Ollama , OpenWebUI and ComfyUI . While these solutions provide convenience and data privacy, they often expose serious security risks when misconfigured.

Typical AI Infrastructure Risks

Unauthenticated REST APIs that allow attackers to delete or download models.

Exposed ports (e.g., Ollama’s default 11434) reachable from the public internet.

Vulnerabilities that enable model theft, compute hijacking, or remote code execution (e.g., CVE‑2024‑37032 in Ollama).

Plugin‑related flaws in ComfyUI and OpenWebUI that lead to arbitrary file reads, writes, or command execution.

Vulnerabilities in Popular Components

Ollama

Ollama runs a RESTful API on port 11434 and, in its official Docker image, exposes this port publicly without authentication. Reported issues include:

Model deletion via the delete endpoint.

Model theft by pulling private models from a custom mirror.

Compute theft by invoking the chat endpoint to consume GPU cycles.

Model poisoning through malicious model uploads followed by replacement of legitimate models.

Remote code execution (CVE‑2024‑37032) affecting Ollama versions prior to 0.1.34.

OpenWebUI

OpenWebUI provides a web UI for LLM chat, image upload and RAG features. It suffered a critical vulnerability (CVE‑2024‑6707) where crafted filenames could be written to arbitrary locations, leading to code execution.

ComfyUI

ComfyUI is a node‑based diffusion‑model editor widely used for AI‑generated art. Numerous high‑severity issues have been discovered, including unauthenticated code execution in the front‑end, remote code execution in several plugins (e.g., Comfy_mtb , Prompt‑Preview ), arbitrary file reads, and SSRF attacks. Many of these flaws remain unpatched or are in the process of being fixed.

AI‑Infra‑Guard: A One‑Click Security Assessment Tool

AI‑Infra‑Guard is a lightweight, zero‑dependency binary that automatically scans AI infrastructure for the vulnerabilities described above. It supports detection of more than 30 component‑specific CVEs and provides both a web UI and command‑line interface for integration into CI/CD pipelines.

Key Features

Supports 30+ AI components, including Ollama, OpenWebUI, ComfyUI, LangChain, Ray, Triton, and many databases.

Detects unauthenticated services, exposed ports, known CVEs, and insecure plugin configurations.

Cross‑platform (Windows, macOS, Linux) with memory usage under 50 MB.

Web UI mode for interactive risk visualization.

CLI mode with flags for local scans, single‑target checks, subnet enumeration, and file‑based target lists.

Supported Components (excerpt)

anythingllm (8 vulnerabilities)

langchain (33)

clickhouse (22)

comfy_mtb (1)

open‑webui (8)

ollama (8)

triton‑inference‑server (7)

Usage Instructions

Start the web UI: ai-infra-guard -ws CLI examples:

# Local scan
ai-infra-guard -localscan

# Scan a single target
ai-infra-guard -target 192.168.1.10:11434

# Scan multiple targets
ai-infra-guard -target 192.168.1.10:11434 -target 10.0.0.5:8080

# Scan an entire subnet
ai-infra-guard -target 192.168.1.0/24

# Scan targets from a file
ai-infra-guard -file targets.txt

Conclusion

AI‑Infra‑Guard, open‑sourced by Tencent’s Mixed‑Reality Security Team (Zhuque Lab), provides a practical way for developers and ops teams to quickly assess and remediate AI infrastructure risks, turning the “absolute security” myth into a more realistic, continuously monitored posture.