Skip to main content
CVE Vulnerability Database

CVE-2025-6920: Red Hat AI Inference Server Auth Bypass

CVE-2025-6920 is an authentication bypass flaw in Red Hat AI Inference Server that allows unauthorized access to model inference features. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-6920 Overview

CVE-2025-6920 is an authentication bypass vulnerability in Red Hat AI Inference Server. The model inference API expects all /v1/* endpoints to enforce API key validation. The POST /invocations endpoint fails to enforce this check, allowing unauthenticated network callers to reach inference functionality reserved for authorized clients.

The flaw is tracked as CWE-306: Missing Authentication for Critical Function. Successful abuse exposes model inference capabilities and may permit unintended access to backend resources supporting the server.

Critical Impact

Unauthenticated attackers can invoke model inference through the POST /invocations endpoint, bypassing the API key controls enforced on other /v1/* routes.

Affected Products

  • Red Hat AI Inference Server (redhat:ai_inference_server)
  • Deployments exposing the POST /invocations endpoint over the network
  • Container images and product builds shipped prior to the Red Hat security fix

Discovery Timeline

  • 2025-07-01 - CVE-2025-6920 published to the National Vulnerability Database
  • 2026-06-17 - Record last modified in NVD

Technical Details for CVE-2025-6920

Vulnerability Analysis

The AI Inference Server exposes a REST API under the /v1/* path prefix for model serving. The server's authentication middleware validates an API key on requests to these routes before dispatching them to the inference backend. The POST /invocations route, which mirrors the inference behavior of the protected /v1/* endpoints, is registered outside the scope of that middleware. Requests to /invocations therefore execute without API key verification.

An attacker with network reachability to the server can submit inference requests, consume GPU and compute resources, and interact with loaded models. Depending on the deployment, this may reveal proprietary model behavior, expose data returned by the model, or provide a foothold for further probing of backend services connected to the inference pipeline. Red Hat classifies the confidentiality impact as low and reports no direct integrity or availability impact from the flaw itself.

Root Cause

The root cause is inconsistent enforcement of authentication across the API surface. The framework wiring applies API key validation only to routes under the /v1/ prefix. The /invocations route was registered as an alias for compatibility with common model-serving conventions but was not placed behind the same authentication dependency, producing a gap between the documented security model and the actual routing table.

Attack Vector

Exploitation requires only network access to the inference server and no user interaction or prior credentials. An attacker sends an HTTP POST request to /invocations with an inference payload matching the served model's expected input schema. The server processes the request and returns the model output. No API key, bearer token, or other credential is required in the request headers. Because the exposed functionality is equivalent to authenticated /v1/* inference, attackers gain the same query surface as legitimate clients.

See the Red Hat CVE-2025-6920 advisory and Red Hat Bugzilla #2375522 for vendor technical details.

Detection Methods for CVE-2025-6920

Indicators of Compromise

  • HTTP POST requests to /invocations on the AI Inference Server originating from clients that do not present an API key header
  • Access log entries showing successful 200 responses to /invocations from source addresses outside the expected client population
  • Spikes in inference workload or GPU utilization not correlated with authenticated /v1/* traffic

Detection Strategies

  • Compare request volumes between /v1/* and /invocations routes; sustained traffic to /invocations warrants investigation
  • Alert on requests to /invocations that lack the configured API key header or bearer token
  • Correlate reverse proxy logs with backend inference logs to identify requests that reached the model without traversing the authentication layer

Monitoring Recommendations

  • Enable structured access logging on the AI Inference Server and forward events to a centralized log platform for retention and analysis
  • Instrument the reverse proxy or ingress controller to record the presence or absence of authentication headers on every inference request
  • Track anomalies in per-client request rates and payload sizes against a known baseline of authorized inference consumers

How to Mitigate CVE-2025-6920

Immediate Actions Required

  • Apply the Red Hat security update for AI Inference Server as soon as it is available for your channel; consult the Red Hat advisory for fixed versions
  • Restrict network exposure of the inference server so that only trusted client networks can reach the API port
  • Audit access logs for prior unauthenticated requests to /invocations and rotate any secrets that may have been observable through model responses

Patch Information

Red Hat has published the vulnerability tracking record at access.redhat.com/security/cve/CVE-2025-6920 with fix status and affected component information. Follow the errata linked from that page for the specific package or container image versions that enforce authentication on the /invocations route.

Workarounds

  • Place the AI Inference Server behind a reverse proxy or API gateway that enforces API key or bearer token validation on all routes, including /invocations
  • Block the /invocations path at the ingress layer if the endpoint is not required by client applications
  • Apply network policies or firewall rules that permit inference traffic only from authenticated service identities within the cluster or VPC
bash
# Example NGINX ingress snippet blocking unauthenticated /invocations traffic
location = /invocations {
    if ($http_authorization = "") { return 401; }
    proxy_pass http://ai_inference_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.