CVE-2025-6920 identifies a security flaw in the Red Hat AI Inference Server, specifically within its model inference API. The server exposes multiple endpoints under the /v1/* path, all of which are designed to require API key validation to authenticate and authorize clients. However, the POST /invocations endpoint fails to enforce this critical authentication check, effectively allowing any unauthenticated user to invoke AI model inference operations. This bypass occurs because the authentication enforcement mechanism does not apply to this endpoint, creating a gap in the security model. As a result, attackers can send inference requests without valid credentials, gaining access to AI inference features that should be protected. While the vulnerability does not directly compromise data integrity or availability, it can lead to unauthorized information disclosure or enable attackers to misuse backend AI resources. The flaw is remotely exploitable over the network without any privileges or user interaction, increasing its risk profile. Currently, there are no known exploits in the wild, and no patches have been linked yet. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and potential confidentiality impact. This vulnerability is particularly relevant for organizations deploying Red Hat AI Inference Server in production environments, especially those exposing inference APIs to external or untrusted networks.

For European organizations, this vulnerability poses a risk of unauthorized access to AI inference services, potentially exposing sensitive model outputs or enabling misuse of AI capabilities. Confidentiality is impacted as attackers can query AI models without authentication, possibly extracting sensitive information embedded in model responses. Although integrity and availability are not directly affected, unauthorized usage could lead to resource exhaustion or indirect service degradation. Organizations relying on AI inference for critical decision-making or handling sensitive data could face compliance and reputational risks if attackers exploit this flaw. The risk is heightened for sectors with AI-driven services such as finance, healthcare, manufacturing, and government agencies. Since the vulnerability requires no authentication or user interaction and is exploitable remotely, it broadens the attack surface, especially if the inference server is exposed beyond trusted internal networks. European entities with cloud or hybrid deployments of Red Hat AI Inference Server should be vigilant, as cloud environments may increase exposure. The absence of known exploits provides a window for proactive mitigation, but the medium severity score indicates that timely remediation is necessary to prevent potential abuse.

1. Immediately restrict network access to the Red Hat AI Inference Server, ensuring that the /invocations endpoint is not exposed to untrusted networks or the public internet. 2. Implement network-level controls such as firewalls, VPNs, or zero-trust segmentation to limit access to authorized clients only. 3. Monitor API access logs for unusual or unauthorized requests targeting the /invocations endpoint to detect potential exploitation attempts. 4. Apply vendor patches or updates as soon as Red Hat releases a fix addressing this authentication bypass. 5. If patches are delayed, consider deploying a reverse proxy or API gateway in front of the inference server that enforces API key validation for all endpoints, including /invocations. 6. Conduct a thorough review of AI inference workflows to identify any sensitive data exposure risks and apply additional encryption or access controls as needed. 7. Educate development and operations teams about the vulnerability to ensure secure deployment practices and prompt response to security advisories. 8. Regularly audit and update API authentication mechanisms to prevent similar bypasses in the future.