Your Model Isn't the Hack Target. the Plumbing Around it Is.
Summary
The article discusses how AI infrastructure, not the models themselves, is the primary target for attacks, highlighting "composition failures" at the seams between different components in the AI application stack. It details specific vulnerabilities like pre-auth SQL injection and supply-chain compromises in LiteLLM, a popular open-source LLM gateway, and remote code execution flaws in the Model Context Protocol (MCP) SDKs. The author, from Offgrid Security, emphasizes that modern AI applications involve complex orchestration layers (gateways, orchestrators, vector databases, etc.) that handle sensitive operations like identity translation and secret handling. These "AI tooling" components are effectively control planes, holding critical credentials and policies, making them high-value targets. Several CVEs and real-world exploits are cited, including a LiteLLM supply-chain attack in March 2026 and a SQL injection (CVE-2026-42208, CVSS 9.3) exploited within 36 hours of disclosure. The core shift is from protecting data to protecting execution, as attackers can influence system decisions by compromising these orchestration layers.
Key takeaway
For AI Security Engineers or Architects designing AI systems, recognize that your orchestration layers (gateways, agent runtimes, MCP servers) are critical control planes, not just "tooling." You must treat them with the same rigor as identity providers or cloud IAM. Prioritize reviewing authorization boundaries between components, not just within them, and map how identities and secrets flow across your stack. Patching these internet-facing components on an urgent timeline is crucial, as exploitation windows are collapsing.
Key insights
AI security threats primarily target the complex orchestration layers and "plumbing" around models, not the models themselves.
Principles
- Failures emerge at the "seams" between composed systems.
- AI orchestration layers are privileged infrastructure.
- Protecting execution is now paramount, beyond just data.
Method
The article describes Kira's method: tracing data flow across an entire codebase to prove exploitability of findings, rather than scanning files in isolation.
In practice
- Review authorization boundaries between components.
- Map identity, permission, and secret flow across the stack.
- Treat AI gateways like identity providers or cloud IAM.
Topics
- AI Security
- Orchestration Layers
- Supply Chain Attacks
- Composition Failures
- LiteLLM Vulnerabilities
- Model Context Protocol
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Architect, AI Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by HackerNoon.