@blamejs/exceptd-skills 0.13.77 → 0.13.79

package/data/cwe-catalog.json

@@ -1299,10 +1299,13 @@
     ],
     "evidence_cves": [
       "CVE-2023-21529",
+      "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-26399",
+      "CVE-2025-30165",
       "CVE-2025-40551",
       "CVE-2025-42999",
       "CVE-2025-49113",
@@ -1310,6 +1313,7 @@
       "CVE-2025-53690",
       "CVE-2025-53770",
       "CVE-2025-59287",
+      "CVE-2025-60455",
       "CVE-2025-68664",
       "CVE-2026-20131",
       "CVE-2026-20963"
@@ -2408,6 +2412,8 @@
       "CVE-2025-57819",
       "CVE-2026-1603",
       "CVE-2026-23760",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-24858"
     ],
     "last_verified": "2026-05-18",

package/data/framework-control-gaps.json

@@ -34,11 +34,17 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1354,6 +1360,7 @@
       "CVE-2024-37079",
       "CVE-2024-42009",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
@@ -1382,6 +1389,7 @@
       "CVE-2025-21043",
       "CVE-2025-21479",
       "CVE-2025-21480",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -1397,6 +1405,7 @@
       "CVE-2025-27915",
       "CVE-2025-27920",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31277",
@@ -1470,6 +1479,7 @@
       "CVE-2025-59374",
       "CVE-2025-59689",
       "CVE-2025-59718",
+      "CVE-2025-60455",
       "CVE-2025-60710",
       "CVE-2025-61757",
       "CVE-2025-61882",
@@ -1738,16 +1748,22 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -2156,8 +2172,12 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
+      "CVE-2025-60455",
       "CVE-2025-6965",
       "CVE-2026-39884",
       "CVE-2026-42208",
@@ -2304,6 +2324,7 @@
       "CVE-2024-37079",
       "CVE-2024-42009",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
@@ -2333,6 +2354,7 @@
       "CVE-2025-21043",
       "CVE-2025-21479",
       "CVE-2025-21480",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -2348,6 +2370,7 @@
       "CVE-2025-27915",
       "CVE-2025-27920",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31277",
@@ -2422,6 +2445,7 @@
       "CVE-2025-59389",
       "CVE-2025-59689",
       "CVE-2025-59718",
+      "CVE-2025-60455",
       "CVE-2025-60710",
       "CVE-2025-61757",
       "CVE-2025-61882",
@@ -2481,6 +2505,8 @@
       "CVE-2026-22769",
       "CVE-2026-23760",
       "CVE-2026-24061",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-2441",
       "CVE-2026-24423",
       "CVE-2026-24858",
@@ -3548,7 +3574,10 @@
     "real_requirement": "Identity controls treat AI agents as distinct principals where they execute tools; MCP plugin invocations log model decision + tool name + arguments + user identity; AI-provider service credentials are short-lived, rotated, and excluded from cleartext storage policy exceptions; passkeys/WebAuthn for human-operator-to-AI authentication where supported.",
     "status": "open",
     "opened_date": "2026-05-13",
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-24206",
+      "CVE-2026-24207"
+    ],
     "atlas_refs": [
       "AML.T0010",
       "AML.T0051"
@@ -4756,13 +4785,19 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-0300",
       "CVE-2026-20182",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -5264,9 +5299,13 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
@@ -5314,11 +5353,17 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -5534,7 +5579,9 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
-      "CVE-2025-55241"
+      "CVE-2025-55241",
+      "CVE-2026-24206",
+      "CVE-2026-24207"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5600,7 +5647,9 @@
     "evidence_cves": [
       "CVE-2020-10148",
       "CVE-2024-1709",
-      "CVE-2026-20182"
+      "CVE-2026-20182",
+      "CVE-2026-24206",
+      "CVE-2026-24207"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -6533,6 +6533,306 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-23254": {
+    "name": "NVIDIA TensorRT-LLM Python Executor Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA TensorRT-LLM deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "local access to the TRT-LLM server (NVD AV:L/PR:L)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (NVIDIA TensorRT-LLM), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-30165": {
+    "name": "vLLM V0 Engine ZeroMQ Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "vLLM deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "adjacent-network reach to the ZeroMQ socket (NVD AV:A/PR:L)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. No code patch shipped for vLLM CVE-2025-30165; the mitigation is to keep the legacy V0 engine disabled (its default since 0.8.0) and isolate the ZeroMQ socket on a trusted network segment. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-50050": {
+    "name": "Meta Llama Stack Socket Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Meta Llama Stack deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "network reach to the inference socket (NVD AV:N/PR:L)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (Meta Llama Stack), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-60455": {
+    "name": "Modular Max Server KVCache-Agent Deserialization RCE (ShadowMQ)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Modular Max Server deserializes untrusted pickle data received over a ZeroMQ / IPC socket without validation (CWE-502), so an attacker who reaches the channel executes code. The same insecure pattern spread across AI inference engines by copy-paste code reuse (Oligo ShadowMQ).",
+      "privileges_required": "local reach with the experimental KVCache agent enabled (NVD AV:L/PR:N)",
+      "complexity": "low (NVD AC:L); a crafted serialized payload on the deserialization channel",
+      "ai_factor": "The abused surface is the IPC/socket layer of an AI inference engine. The lesson is the supply-chain one: an insecure deserialization primitive was reused across vLLM, NVIDIA TensorRT-LLM, Meta Llama Stack and Modular Max, so one root cause became an ecosystem-wide exposure. Inference-engine sockets must use a safe serializer and be treated as untrusted input."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI inference engines and their socket serialization layers as managed, RCE-bearing software, nor flag a flaw recurring across projects via code reuse."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the serializer is treated as trusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires an AI inference engine's socket serialization to use a safe format and validate peers; the unsafe primitive propagated by code reuse."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "AI inference engines are rarely in the managed vulnerability program, and their internal serialization sockets are assumed trusted; a reused insecure primitive is not tracked across the projects that copied it.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (Modular Max Server), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-24207": {
+    "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Path) RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Triton Inference Server exposes a control-plane path that bypasses its authentication layer (CWE-288), so an unauthenticated network attacker reaches privileged model-control functionality without credentials.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated over the network",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the authentication layer of a widely deployed AI inference server. The lesson: authentication on an AI model control plane must be proven complete across every request path — an alternate path that skips the auth layer exposes model load/unload and repository management to anyone on the network. NVD scored 9.8 (NIST)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is asserted for the application but not verified to cover every control-plane path of the inference server; an alternate path bypasses it."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence does not track AI inference servers as network-exposed control planes requiring rapid patching."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference server's authentication to be proven complete across all request paths."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Organizations assert authentication coverage for the inference API but do not test every alternate path into the model control plane; inference servers are rarely in the managed vulnerability program.",
+      "theater_pattern": "authentication_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-087",
+        "name": "AI-INFERENCE-SERVER-AUTH-ENFORCEMENT",
+        "description": "Authentication on an AI inference server's control plane (model load/unload, repository and config management) must be enforced on every request path and proven complete, not assumed from the primary API. Upgrade NVIDIA Triton to r26.03 or later, do not expose Triton HTTP/gRPC endpoints to untrusted networks, and front it with an authenticating reverse proxy. The distinguishing test: from an unauthenticated client on a staging instance, attempt to reach each control-plane endpoint via alternate paths and confirm all are rejected.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-24206": {
+    "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Channel)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA Triton Inference Server exposes a control-plane path that bypasses its authentication layer (CWE-288), so an unauthenticated network attacker reaches privileged model-control functionality without credentials.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated over the network",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the authentication layer of a widely deployed AI inference server. The lesson: authentication on an AI model control plane must be proven complete across every request path — an alternate path that skips the auth layer exposes model load/unload and repository management to anyone on the network. NVD scored 9.8 NIST / 7.3 NVIDIA."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is asserted for the application but not verified to cover every control-plane path of the inference server; an alternate path bypasses it."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw-remediation cadence does not track AI inference servers as network-exposed control planes requiring rapid patching."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference server's authentication to be proven complete across all request paths."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Organizations assert authentication coverage for the inference API but do not test every alternate path into the model control plane; inference servers are rarely in the managed vulnerability program.",
+      "theater_pattern": "authentication_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-087",
+        "name": "AI-INFERENCE-SERVER-AUTH-ENFORCEMENT",
+        "description": "Authentication on an AI inference server's control plane (model load/unload, repository and config management) must be enforced on every request path and proven complete, not assumed from the primary API. Upgrade NVIDIA Triton to r26.03 or later, do not expose Triton HTTP/gRPC endpoints to untrusted networks, and front it with an authenticating reverse proxy. The distinguishing test: from an unauthenticated client on a staging instance, attempt to reach each control-plane endpoint via alternate paths and confirm all are rejected.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",