Full Report
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
Analysis Summary
# Research: We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is
## Metadata
- **Authors:** The Intruder Research Team
- **Institution:** Intruder (Cybersecurity Firm)
- **Publication:** The Hacker News
- **Date:** May 05, 2026
## Abstract
This technical analysis examines the security posture of self-hosted Large Language Model (LLM) infrastructure and AI services. Spurred by the "ClawdBot" vulnerability crisis, researchers scanned over one million exposed AI services to evaluate the prevalence of misconfigurations and lack of authentication. The findings reveal a systemic failure to implement basic security hygiene in AI deployments, with significant portions of the AI software ecosystem operating with "no authentication by default," leading to the exposure of sensitive chat histories, API keys, and internal business logic.
## Research Objective
The research aims to quantify and qualify the risks associated with the rapid, "speed-over-security" adoption of self-hosted AI infrastructure. Key questions include:
- How many AI services are currently exposed to the public internet?
- What are the common security configurations of these deployments?
- What types of sensitive data and system access are at risk due to these exposures?
## Methodology
### Approach
The researchers utilized an internet-wide scanning and reconnaissance methodology. They identified potential targets by monitoring global Certificate Transparency (CT) logs to find hosts associated with AI-related subdomains and services. After identifying live services, they conducted non-intrusive metadata analysis and basic interaction (e.g., restricted "hello" prompts) to verify accessibility.
### Dataset/Environment
- **Initial Scope:** 2 million hosts identified via CT logs.
- **Active Scanning:** 1 million exposed AI services.
- **Specific Targets:** Self-hosted chatbots (OpenUI), agent management platforms (n8n, Flowise), and LLM API servers (Ollama).
### Tools & Technologies
- Certificate Transparency (CT) log scrapers.
- Automated port and service scanners.
- Manual source code review of popular AI projects to identify default configurations.
## Key Findings
### Primary Results
1. **Insecure by Default:** Many popular open-source AI projects lack built-in authentication or have it disabled in their "out-of-the-box" configurations.
2. **Massive API Exposure:** Thousands of Ollama API instances were found public-facing and unauthenticated, allowing anyone to run inference on the host’s hardware.
3. **Credential Leaks:** Instances of agent platforms (Flowise) and specialized chatbots were discovered leaking API keys and high-level credentials in plaintext or via accessible UI workflows.
### Supporting Evidence
- **ClawdBot Benchmark:** Referenced as averaging 2.6 CVEs per day, serving as a catalyst for the broader scan.
- **Agent Platforms:** Over 90 exposed instances were identified specifically within government, finance, and marketing sectors, many revealing internal business logic and file-write capabilities.
### Novel Contributions
- **Quantification of AI Attack Surface:** One of the first large-scale empirical studies specifically targeting the self-hosted AI infrastructure stack rather than just the models themselves.
- **Logic Exposure:** Highlighted that modern AI "agents" represent a higher risk than simple chatbots because they bridge the gap between LLMs and local system functions/file systems.
## Technical Details
The research highlights a specific architectural flaw in AI "Agent" platforms. Unlike traditional web apps, these platforms often use "tools" that have permissions to write files or execute code. When platforms like Flowise or n8n are exposed without authentication, an attacker doesn't just get a chat interface; they gain access to the **Chain of Thought** or **Workflow Graph**. By modifying these graphs, an attacker can pivot from an LLM prompt to Server-Side Request Forgery (SSRF) or Remote Code Execution (RCE) by manipulating the local functions the agent is permitted to call.
## Practical Implications
### For Security Practitioners
- **Inventory Management:** AI services often bypass traditional IT procurement. Security teams must actively scan for shadow AI deployments.
- **Identity First:** Authentication must be a "gate" requirement before any AI service is moved from a local developer machine to a networked environment.
### For Defenders
- **Hardening Ollama:** Ensure `OLLAMA_HOST` is not set to `0.0.0.0` unless protected by a firewall or reverse proxy with mTLS or robust AuthN.
- **Audit Agent Logic:** Review the permissions granted to AI agents. Avoid granting agents "File Write" or "Shell Execution" privileges on the host system.
### For Researchers
- **Exploitation Vectors:** Further research is needed into how exposed LLM APIs can be used for distributed "prompt injection" attacks or as botnets for generating malicious content.
## Limitations
- The scan primarily identified *exposed* services; it does not account for services behind VPNs that may still be vulnerable to lateral movement.
- The report focuses on the infrastructure layer rather than model-specific vulnerabilities (like prompt injection).
## Comparison to Prior Work
While previous research focused heavily on **Adversarial Machine Learning** (tricking the model), this research shifts the focus to **Application Security (AppSec)**. It suggests that AI security is currently failing at the most basic level (authentication and configuration), rendering advanced model-defense techniques moot.
## Real-world Applications
- **Policy Enforcement:** Use these findings to justify strict internal policies against deploying "one-click" AI templates without security review.
- **Automated Scanning:** Inclusion of AI-specific fingerprints in existing vulnerability management tools.
## Future Work
- Analysis of the supply chain of AI "wrappers" and templates.
- Investigating the impact of "Poisoning by Proxy," where attackers modify exposed LLM workflows to change the output for legitimate end-users.
## References
- Intruder.io: "ClawdBot: When Easy AI Becomes a Security Nightmare."
- Lasso Security: Blog on Amazon Chatbot vulnerabilities.
- Online Tracker: `days-since-openclaw-cve.com`