The deployment of self-hosted large language models (LLMs) has experienced unprecedented growth for enhanced data privacy and control. Yet, such deployment relies on diverse web services, whose vulnerabilities, although mentioned in a few studies, are largely underexplored, conflicting with the security tenet. From a systematic perspective, we propose LENS, a framework that explores and exploits vulnerabilities in self-hosted LLM services for comprehensive security evaluation. LENS integrates profiling and filtering, endpoint knowledge construction, and attack graph modeling for the automatic discovery, probing, and exploitation of public-facing LLM deployment targets, respectively. We conducted extensive empirical evaluation on real-world self-hosted LLM services across 16 mainstream platforms, 71,249 discovered deployment targets, and 307 API endpoints. Both quantitative and qualitative evidence reveal the prevalence of security vulnerabilities across different self-hosted LLM services. Notably, 75% of responsive targets allow web API interactions without authentication, rendering exploitation such as injection attacks (97% for Ollama), unauthenticated access (20.2% for AnythingLLM), and default credential abuse (60.6% for Dify). We have responsibly reported the findings to the relevant community and obtained 7 CVE IDs, including 4 critical vulnerabilities (CVSS > 9.0) and 2 high-severity ones.
Our research uncovered significant security flaws in widely used self-hosted LLM platforms. Below is a list of the CVEs assigned to our findings, along with their CVSS severity ratings.
| CVE ID | CVSS Score | Severity | Description |
|---|---|---|---|
| CVE-2025-56157 | 9.8 | Critical | Default Credentials in Dify. Dify versions up to and including 1.5.1 contain a critical security vulnerability where the PostgreSQL database is configured with hardcoded default credentials. |
| CVE-2025-63389 | 9.8 | Critical | Authentication Bypass in Ollama API. A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations. |
| CVE-2025-63388 | 9.1 | Critical | CORS Misconfiguration in Dify System Features Endpoint. A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. |
| CVE-2025-63386 | 9.1 | Critical | CORS Misconfiguration in Dify. A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. |
| CVE-2025-63387 | 7.5 | High | Unauthenticated Access to System Features in Dify. Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. |
| CVE-2025-63391 | 7.5 | High | Authentication Bypass in Open-WebUI Config Endpoint. An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers. |
| CVE-2025-63390 | 5.3 | Medium | Authentication Bypass in AnythingLLM Workspaces. An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps. |
Ethical Disclosure: Note that we reported first to institutional authorities and affected vendors, then to CVE after awaiting remediation without adequate response.
Ethical Usage: The findings and tools provided in this research are intended for educational and defensive purposes only. Important: Only use the full framework on systems you own or have explicit permission to test. Unauthorized testing is illegal and unethical. See GitHub README for full disclaimer.
@inproceedings{liu2026lens,
author = {Liu, Zhihuang and Hu, Ling and Tang, Yonghao and Zhou, Tongqing and Liu, Fang and Cai, Zhiping},
title = {Exploring and Exploiting Security Vulnerabilities in Self-Hosted LLM Services},
booktitle = {Proceedings of The Web Conference 2026 (WWW '26)},
year = {2026},
}