AI tools are going live with no passwords

The Intruder security team scanned over two million internet-facing hosts in May 2026 and found that more than one million AI services had been deployed with no authentication in place — more vulnerable, exposed, and misconfigured than any other category of software they had investigated. Of the 5,200 Ollama API servers identified and queried, 31% responded without requiring any login, with those servers connected to frontier models from Anthropic, OpenAI, Google, and DeepSeek. Agent management platforms including n8n and Flowise were found exposed across government, marketing, and finance with full business logic, credential lists, and outward tool access open to anyone who found them.

Many of these platforms ship without authentication enabled by default. Developers stand up LLM infrastructure quickly — often as internal tools — without applying the access controls that standard web services require. Separate research from Noma Security found that one in four Model Context Protocol (MCP) servers — the connectors enterprises use to give agents access to internal data and systems — carry arbitrary code execution capabilities with no mechanism for defenders to trace what a model does with those capabilities once they are loaded. The attack surface extends beyond what an intruder can reach directly: it stretches to every system the exposed agent was built to touch.

Intruder found n8n and Flowise instances where an attacker could modify agent workflows, redirect traffic, read stored user data, or run server-side code without credentials. Several chatbot deployments exposed full conversation histories and disclosed API keys in plaintext. The scan identified over 90 exposed instances across sectors but the researchers noted they stopped short of probing further on ethical grounds. The servers that responded to unauthenticated queries gave a clear enough picture: responses included "I am here to assist you with your health and wellbeing issues" and "I am an AI assistant integrated with our cloud management systems."

Source

The Hacker News (Intruder research)