The rapid adoption of artificial intelligence (AI) infrastructure by businesses is inadvertently creating significant security vulnerabilities, jeopardizing decades of progress in software security. Companies are rushing to deploy self-hosted Large Language Models (LLMs) to gain a competitive edge and enhance productivity. However, this acceleration comes at the cost of security best practices, leaving sensitive data and systems exposed. A recent investigation into AI infrastructure revealed it to be more vulnerable and misconfigured than any other software domain previously examined.
In the aftermath of the “ClawdBot” incident, where a viral self-hosted AI assistant averaged 2.6 Common Vulnerabilities and Exposures (CVEs) per day, the security research firm Intruder launched an investigation to gauge the security posture of AI infrastructure. By analyzing over 2 million hosts and 1 million exposed services through certificate transparency logs, Intruder’s team uncovered a landscape rife with security oversights.
Widespread Security Lapses in AI Infrastructure
A primary concern identified was the default lack of authentication in many AI deployments. Many projects are released with authentication features disabled out-of-the-box, leaving internal company tools and user data accessible to anyone on the internet. This oversight exposes organizations to risks ranging from reputational damage to complete system compromise. The consequences can be severe, particularly when sensitive information is involved.
Exposed Chatbots and Sensitive Conversations
Instances of freely accessible chatbots were particularly prevalent. One example, based on OpenUI, exposed an entire user’s conversation history with an LLM. While seemingly innocuous, enterprise chat logs can reveal critical business intelligence. More alarming were generic chatbots hosting a variety of LLM models that were accessible without authentication. This allows malicious actors to exploit these systems for nefarious purposes, such as generating illegal content or soliciting harmful advice, without fear of their actions being traced back to them.
There were also cases of questionable chatbots that exposed large volumes of personal NSFW conversations. Compounding the issue, the software running these “goon-bots” also disclosed their API keys in plain text, offering attackers direct pathways to exploit the underlying services. The ease with which these systems could be abused highlighted a significant gap in security awareness.
Unsecured Agent Management Platforms and APIs
The investigation also found exposed instances of agent management platforms like n8n and Flowise, with some deployments intended for internal use being mistakenly exposed to the internet without authentication. A particularly egregious example involved a Flowise instance that laid bare the entire business logic of an LLM chatbot service. While Flowise itself protected stored credentials from unauthenticated visitors, an attacker could still leverage the connected tools to exfiltrate sensitive information.
This highlights a critical weakness in many AI tooling platforms: a lack of proper access management controls. Access to a bot integrated with a third-party system frequently translates to unrestricted access to all connected services. Further findings included exposed internet parsing tools and dangerous local functions, such as file writing and code interpretation, raising the prospect of server-side code execution. Over 90 such exposed instances were identified across various sectors, including government, marketing, and finance. These open access points could allow attackers to modify workflows, redirect traffic, steal user data, or poison the AI’s responses.
Another surprising discovery was the sheer number of unsecured Ollama APIs accessible without any authentication. Out of over 5,200 queried servers, 31% responded, offering a glimpse into their intended use. While Ollama itself does not store message data, many of these instances were found to be wrapping paid, frontier models from leading providers like Anthropic, Deepseek, Moonshot, Google, and OpenAI. Such unsecured APIs present a significant risk, potentially allowing unauthorized access to powerful AI capabilities.
Inherent Insecurity in AI Tooling
A deeper analysis of a subset of these applications in a controlled lab environment revealed recurring insecure patterns. These included poor deployment practices such as insecure defaults, misconfigured Docker setups, hardcoded credentials, and applications running with root privileges. Many projects lacked authentication on fresh installs, granting users full management access by default. Hardcoded and static credentials were often embedded directly in setup examples or Docker Compose files, rather than being generated during installation. Furthermore, new technical vulnerabilities were rapidly discovered within popular AI projects, underscoring the evolving threat landscape.
These misconfigurations are amplified when AI agents possess access to powerful tools like code interpretation. The potential damage, or blast radius, expands significantly when sandboxing is inadequate and the infrastructure is not properly isolated in a demilitarized zone (DMZ).
The Race for AI Adoption Outpaces Security
The findings suggest that some projects powering LLM infrastructure have deliberately sidestepped decades of hard-won security best practices in favor of rapid deployment. This trend is not solely attributable to vendors but is also driven by the intense pressure on businesses to adopt AI quickly and outmaneuver competitors. The immediate focus on deployment speed has created an environment where security often lags behind innovation.
Organizations are urged to proactively address these vulnerabilities. The risk of attackers discovering exposed AI infrastructure before internal security teams do is significant. Tools that can identify misconfigurations and assess external visibility are crucial in mitigating these emerging threats. As AI continues to evolve, the cybersecurity community will be watching closely to see if the industry can effectively balance the drive for innovation with the imperative of robust security.