T5-AT-006MEDIUM
API Endpoint Abuse
T5 · Model & API Exploitation →Risk score190
RatingMedium
Procedures10
Severity
Mechanism
LLM serving frameworks expose multiple API endpoints beyond the primary inference endpoint — model management, health checks, metrics, debug, configuration, and administrative functions. The design assumption is that non-inference endpoints are either internal-only or harmless. The gap: many self-hosted LLM frameworks (Ollama, vLLM, text-generation-inference, LiteLLM) were designed as developer tools and expose management APIs without authentication by default.
Detection
- Full API endpoint inventory with authentication requirements documented per-endpoint
- Monitor for requests to undocumented endpoints (404→200 transitions indicate discovery)
- Alert on management API calls (model create/delete/pull) from non-admin sources
- Detect path traversal patterns in API request URIs
Mitigation
Authentication on ALL endpoints including health/metricsHIGH
Network segmentation: management API on separate interfaceHIGH
Disable GraphQL introspection in productionHIGH
API gateway with strict path whitelist (reject unknown endpoints)HIGH
Chaining
API endpoint abuse provides the initial access that enables all other T5 techniques. Ollama management API abuse (T5-AP-006A) chains directly to T6 (Training & Feedback Poisoning) via model replacement with backdoored versions.
Framework mapping
Open in the technique browser →OWASP LLMLLM02
MITRE ATLASAML.T0040