Full-chain exploitation of AI API gateways and proxy infrastructure across 10 platforms: LiteLLM · Ollama · Flowise · Open WebUI · Portkey · Kong AI Gateway · Traefik · Cloudflare AI Gateway · TrueFoundry · LMDeploy. These gateways are the chokepoint for every LLM call — compromise one and you own the entire conversation pipeline. SPECTER NEXUS fingerprints, exploits CVEs, harvests provider API keys, hijacks routing tables, installs callback exfil on every LLM call, and persists across config reloads.
Every CVE implemented as a working PoC payload builder. INJECT gate required for live fire. UNLEASHED required for route injection and persistence.
| CVE / TTP | Platform | CVSS | Technique |
|---|---|---|---|
| CVE-2026-42208 | LiteLLM | 9.0 | SQLite injection via model alias parameter — UNION SELECT litellm_verificationtoken (API keys, spend, users) |
| CVE-2026-33626 | LMDeploy | 9.1 | SSRF via model_path in /models/create endpoint — reaches 169.254.169.254 cloud metadata |
| CVE-2026-41264 | Flowise | 9.8 | Pre-auth RCE via /api/v1/credentials endpoint + path traversal /api/v1/attachments/../../../etc/passwd |
| litellm_admin_bypass | LiteLLM | 8.5 | Admin panel bypass via X-LiteLLM-Internal / X-Forwarded-For: 127.0.0.1 headers |
| ollama_open_bind | Ollama | 7.5 | Unauthenticated API on 0.0.0.0:11434 — model pull/run/delete without auth |
| kong_admin_api_exposed | Kong | 6.8 | Kong Admin API (8001) exposed — service/route/upstream manipulation without auth |
| teamcpcp_supply_chain | LiteLLM | 8.8 | Dependency confusion via typosquatted litellm-utils package with postinstall beacon |
SCAN is OPEN-gate. HARVEST, PIVOT, EXFIL require INJECT. INJECT requires INJECT (MITM requires UNLEASHED). ROUTE and PERSIST require UNLEASHED.
Identifies 10 gateway platforms via header/body signatures and port probing. CIDR range scan with asyncio concurrency. Subdomain enumeration across 23 gateway subdomain patterns. CVE applicability scoring per detected version. GatewayInstance confidence score 0.0–1.0.
CVE-2026-42208 SQLite injection — 10 UNION SELECT payloads against litellm_verificationtoken. CVE-2026-33626 SSRF — probes 12 cloud metadata targets. CVE-2026-41264 RCE — 4 Flowise attack vectors. Config endpoint extraction — 20+ secret patterns (sk-proj-/sk-ant-/AIza/AKIA/hf_/gsk_/r8_/pplx-/pa-). Env disclosure. Error message leakage. JWT extraction.
System prompt adversarial injection. Response tamper via metadata/system fields. Rate limit bypass via X-Forwarded-For/X-Real-IP/CF-Connecting-IP header set. Model parameter override (temperature/max_tokens out of bounds). Passive callback logging. Full MITM config with litellm success_callback exfil hook (UNLEASHED).
LiteLLM model alias injection — injects rogue litellm_params with attacker api_base and api_key. Kong Admin API service+route creation. Fallback chain poison — all gpt-4o failures route to attacker URL. Callback exfil — hooks all success_callback/failure_callback/async_success_callback. Cloudflare Worker replacement. to_litellm_config_yaml() output. UNLEASHED-gated.
Validates harvested keys against 10 provider APIs: OpenAI/Anthropic/Google AI/HuggingFace/Groq/Replicate/Together AI/Perplexity/Mistral/Azure. AWS STS GetCallerIdentity (manual SigV4). Rate limit tier inference from response headers (tier1–tier5). build_provider_inventory(). detect_cross_use(). estimate_burn_rate() from spend logs. Concurrency via asyncio semaphore.
8 UNLEASHED-gated strategies: rogue virtual key (wildcard * model access, persists in SQLite); route_db_injection (INSERT INTO litellm_routingtable); webhook_callback (all LLM calls to attacker URL); startup_beacon (env var + async_success_callback); log_suppression (DELETE/UPDATE spend counters); config_backdoor (sets master_key, routes * to attacker URL); self_healing_route (cron every 5 min reinstall); supply_chain_hook (typosquatted litellm-utils).
Conversation log extraction from /v1/spend/logs with pagination and record parsing (session_id/system_prompt/messages/model/tokens/user_id). System prompt theft from /config + /model_group/info. Spend telemetry — /v1/spend/keys/users/teams/tags. User/key/team enumeration. Deep secret scan — /actuator/env + /debug + /.env + /metrics with regex key extraction.
NXS-{hex12} report IDs. Ed25519 signing via PyNaCl. Risk score 0.0–10.0 (auto-clamps to 8.5+ for CRITICAL findings). WMD class aggregation. ANNIHILATE full chain command: SCAN→HARVEST→EXFIL→PERSIST in one command with --confirm-destroy guard. Verify() checks signature integrity. Markdown output option.
AML.T0051 — LLM Prompt Injection
AML.T0054 — LLM Jailbreak
AML.T0043 — Craft Adversarial Data
AML.T0048 — Exfiltration via ML Inference API
AML.T0018 — Backdoor ML Model
T1190 — Exploit Public-Facing Application (CVE gateway)
T1078 — Valid Accounts (provider key theft)
LLM01 — Prompt Injection
LLM02 — Sensitive Information Disclosure
LLM06 — Excessive Agency
LLM08 — Excessive Permissions
Agentic: AST01 / AST03 / AST05 / AST07
MCP Top 10 2026: Credential Exposure, Tool Poisoning