Articles

I Gave My AI Stack a Memory. Then I Poisoned It. Here's What Broke.

ChromaDB ships with no authentication. This episode breaks the RAG stack built in 3.4A -- exfiltrating every internal document, poisoning the knowledge base to phish users via the AI, jamming retrieval with blocker documents, and deleting the entire collection. All from the network, with curl and five lines of Python.

We Gave Our AI Stack a Memory. Here's Everything That's Wrong With It.

Building a production RAG stack on ChromaDB, LangChain, and FastAPI -- and uncovering an unauthenticated vector database open to arbitrary writes from anyone on the network. Episode 3.4A of the AI Infrastructure Security Series.

I Built DLP Into My AI Stack. Then I Found Six Ways Around It.

Seven findings against a Presidio + LiteLLM DLP stack -- guardrails silently fail, encodings bypass detection, and Open WebUI stores every prompt unmasked.

Five AI Security Tools Found What Curl Already Knew -- But Faster, and With Receipts

Julius, Augustus, Garak, Promptfoo, and AI-Infra-Guard run against the same Ollama target from the prequel -- same vulnerability, but structured bypass rates, named CVE matches, and repeatable test configs that survive a security review.

I Stood Up a Vulnerable AI Chatbot and Watched It Fall. CVE-2025-64496, Every Step.

Full attack chain against Open WebUI v0.6.33 -- from a chat message to root RCE, admin JWT forgery, and persistent backdoor. CVE-2025-64496 exploitation with every command and dead end documented.

Before You Can Break It, You Have to Build It Wrong

Deploy the intentionally vulnerable Open WebUI v0.6.33 + Ollama 0.1.33 lab stack on Debian 13 from scratch -- Docker, compose file, API account setup, and every gotcha for CVE-2025-64496 lab reproduction.

Hardening Authentik: Every Misconfiguration I Found in My Own IdP

How to harden Authentik 2025.12.3 -- localhost bind, HAProxy path blocking and rate limiting, OpenBAO AppRole secrets injection, akadmin deactivation, and Docker worker capability hardening. Every command, every dead end, every lesson.

AI Infrastructure Isn’t Magic — It’s the Same Problems You Already Know, Stacked Differently

Understanding how self-hosted AI is built is the fastest way to understand what ChatGPT, Claude, and Gemini are actually doing with your data — and where your discipline’s failure mode lives.

I Broke My Own Identity Provider

A complete live audit of Authentik 2025.12.3 — every command, every dead end, every lesson. 10 of 15 findings confirmed exploitable including full RCE from a non-superuser account, database compromise, and a two-command path to god-mode. Zero downloaded tools.

I Hardened a Grafana Stack From "Please Hack Me" to Production-Ready. Here's Every Command I Ran.

A complete live hardening session for a Grafana monitoring stack -- every command, every failure, every fix. 15 vulnerabilities across seven categories, from anonymous access and exposed Prometheus endpoints to plaintext secrets and a single browser tab that broke the rate limiter.