While the software industry has made strides in secure product delivery, the rapid adoption of AI is jeopardizing that progress. Businesses are rushing to self-host Large Language Model (LLM) infrastructure, prioritizing speed over security. In the wake of the **ClawdBot** incident—a self-hosted AI assistant plagued by vulnerabilities—the **Intruder** team investigated the security posture of AI infrastructure. Using certificate transparency logs, they analyzed over 2 million hosts with 1 million exposed services, revealing significant security gaps. ## No Authentication by Default A recurring issue was the deployment of hosts without authentication. Source code analysis revealed that many AI projects do not enable authentication by default, leaving user data and company tools exposed. ### Freely Accessible Chatbots Many instances involved chatbots exposing user conversations. One example, based on **OpenUI**, revealed users' full LLM conversation history. In enterprise environments, these chat histories can contain sensitive information.  Generic chatbots hosting diverse models, including multimodal LLMs, were also freely accessible. Malicious actors can jailbreak these models to bypass safety measures for illicit activities, leveraging company infrastructure without consequences. Abuses of company chatbots have already been observed, with users accessing more capable models without proper authorization. Some chatbots even exposed large volumes of personal NSFW conversations, with the software revealing **Claude**-powered bot API keys in plaintext.  ### Wide Open Agent Management Platforms Exposed instances of agent management platforms like **n8n** and **Flowise** were discovered, with some intended for internal use accessible without authentication. One **Flowise** instance exposed the entire business logic of an LLM chatbot service.  While **Flowise** didn't directly reveal stored credential values, attackers could exploit the connected tools to exfiltrate sensitive information. The lack of proper access management controls in AI tooling means that access to a bot often grants access to all connected systems. Another exposed setup revealed internet parsing tools and potentially dangerous local functions, such as file writes and code interpreting, enabling server-side code execution.  Over 90 exposed instances were identified across various sectors, including government, marketing, and finance. Attackers could modify workflows, redirect traffic, expose user data, or poison responses. ### Saying Hello to Unsecured Ollama APIs A significant number of exposed **Ollama** APIs were accessible without authentication and connected to a model. A simple "Hello" prompt sent to these servers yielded responses from 31% of the 5,200+ servers queried. The responses revealed the diverse uses of these APIs, including integrations with cloud management systems and health and wellbeing assistance. While **Ollama** doesn't store messages directly, many instances wrapped paid frontier models from **Anthropic**, **Deepseek**, **Moonshot**, **Google**, and **OpenAI**. 518 models identified across all servers were wrapping well-known frontier models. ## Insecure by Design Further analysis revealed recurring insecure patterns: * **Poor deployment practices:** Insecure defaults, misconfigured Docker setups, hardcoded credentials, and applications running as root. * **No authentication on fresh installs:** Users are often granted high-privilege accounts with full management access immediately. * **Hardcoded and static credentials:** Credentials are often embedded in setup examples and docker-compose files instead of being generated on installation. * **New technical vulnerabilities:** Arbitrary code execution vulnerabilities were quickly discovered in popular AI projects.