API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure.
In 2025, the picture changed. Wallarm’s 2026 API ThreatStats Report revealed that APIs are now the primary attack surface for digital business, and not because bad actors discovered new zero-days, but because of compounding failures in identity, exposure, and abuse.
From vulnerability disclosures, exploited vulnerabilities, and breaches, APIs are where risk happens, where it is exploited, and where it becomes business risk. This is not shifting with the rise of AI and autonomous agents; it’s just increasing in velocity.
If you cannot secure your APIs, you can’t secure your AI. This is the reality.
In 2025, APIs accounted for 11,053 of 67,058 published security bulletins, or 17% of all reported vulnerabilities. That alone makes APIs one of the largest single vulnerability surfaces in modern software.
Yet disclosure counts only tell part of the story.
When exploitation is taken into account, the signal becomes much stronger. Nearly half of the newly added CISA Known Exploited Vulnerabilities (KEVs) in 2025 (106 of 245, or 43%) were API-related. No other surface comes close. APIs are often vulnerable and are disproportionately exploited.
AI vulnerabilities reinforce this pattern. Of the 2,185 AI vulnerabilities identified, 36% also qualify as API vulnerabilities. Among AI-related KEVs, the overlap is the same: 21 of 58 exploited AI vulnerabilities (36%) involve APIs. As AI matures, its risks don’t shift elsewhere; they still come through APIs.
These threats soared nearly 400% year over year, rising from 439 in 2024 to 2,185 in 2025. In the same period, the absolute number of AI and API vulnerabilities increased by a whopping 79%.
The percentage overlap didn’t drop because APIs became less relevant, but because AI classifications expanded. In other words, the API-exposed AI attack surface grew dramatically. AI amplifies existing API failure modes by increasing exposed interfaces, automation, and the consequences of a single mistake.
Disclosure data still overemphasizes bugs. Bad actors are less concerned with novelty or elegance than they are with leverage and scale. The API ThreatStats Top 10, based on observed attack activity rather than disclosure counts, highlights this.
In 2025, Cross-Site Issues rose from a mid-ranking position to become the most abused API weakness by attack volume. Injection attacks dropped from first to second place, but never fell below number two in any quarter. Injection is still highly relevant, particularly as AI-driven APIs pass untrusted input directly into models and downstream pipelines.
Broken Access Control came in third place, with a dramatic rise to the top spot in the final quarter, which speaks to the ease with which enumeration and privilege-escalation vectors can be quickly scaled up after detection. Insecure Resource Consumption rose from seventh place in 2024 to fourth in 2025 and remained there throughout the year, driven by automated scraping, enumeration, and denial-of-service attacks.
There’s a common thread in these examples: malicious actors are exploiting logic, trust, and usage patterns in APIs that were never built to withstand automation in the first place.
API vulnerabilities are about speed and ease. The 2025 report showed that 97% of API vulnerabilities can be exploited with a single request. Chained requests are statistically insignificant. In fact, nearly 99% of API vulnerabilities are remotely accessible, as that’s how APIs are supposed to work.
Ease of exploitation is equally important. 98% of API vulnerabilities are classified as either easy or trivial to exploit, with only 1% needing advanced skills. In addition, over half (59%) of API vulnerabilities require no authentication at all.
Around 30% of published API vulnerabilities already have public exploit code available, collapsing the gap between disclosure and weaponization.
How sophisticated an adversary is no longer matters as much as automation does.
The impact on business follows straight from this exploitability profile. Just over two-thirds of API vulnerabilities (67%) are rated High or Critical impact, yet 56% are exploitable by low-skill actors, with another 40% tied to organized cybercrime. Nation-state activity remains statistically marginal.
This creates a persistent risk that is easy to exploit and monetize, yet extremely difficult to eliminate. API incidents are not tales of advanced, cunning adversaries, but ones of scale, fueled by cheap, repeatable attack chains.
The convergence between AI and APIs is measurable and growing. More than one-third of all AI vulnerabilities disclosed in 2025 are also API vulnerabilities, and that ratio holds steady when those vulnerabilities are exploited.
AI risk is expanding in every direction, but when it turns into real-world attacks, adversaries still come through the same door: APIs.
Many AI security failures look familiar because they are familiar: over-trusted interfaces, excessive permissions, weak authentication, and unsafe downstream consumption. AI increases the value of the target and the speed of abuse, but it rarely changes the underlying failure mode.
The strongest predictor of where future risk exists is the Model Context Protocol (MCP). Although it is still in an early adoption phase, MCP has already accounted for 315 vulnerabilities as of 2025, which make up 14.4% of all AI vulnerabilities. In fact, from Q2 to Q3, the number of MCP vulnerabilities has increased by 270%. This is considered a classic case of “small surface, large growth.”
The common causes of all MCP-related issues have been over-permissioned tools, direct API access without adequate authentication and authorization, and the lack of runtime enforcement. The MCP protocol serves as the control-plane API for agents. When it gets compromised, not only is data access granted to hackers, but they also get control over the autonomous workflow.
One of the most significant API breaches occurred last year, when thousands of MCP servers were left exposed. A single API-reachable path-traversal vulnerability gave attackers access to the agent infrastructure for production AI workloads. When APIs operate on behalf of agents, it amounts to delegating authority rather than granting access.
An analysis of 60 API-related breaches that were disclosed in 2025 shows where risk is most harmful. Incidents cluster in sectors with significant data and automation: Software (15%), AI platforms and tooling (15%), cybersecurity vendors (13%), SaaS (8%), automotive (7%), and cloud services (7%).
Mapped to OWASP categories, breaches are dominated by identity and trust failures. Broken authentication was the culprit in 52% of incidents, while unsafe consumption of APIs accounts can be blamed for 27%.
Concrete examples reinforced this. For instance, third-party APIs exposed millions of records at 700Credit, while weak airline API authentication fueled mass access at Qantas. Stolen credentials and permissive API access enabled unauthorized transactions at SwissBorg, and exposed MCP servers, leaking agent infrastructure at scale. Even leading AI platforms suffered access-control and internal-API exposure issues.
Every incident shared a common structure: a token or credential is stolen, an API is too trusting or too exposed, and automation enabled the rest.
Improving API security is less about discovering new types of attacks than it is about fixing the repeatable failures that automation will turn into business-level incidents.
What does this mean for the security practitioners? It means designing for abuse, treating identity as the primary attack surface, assuming all exposed APIs will be discovered and automated, securing agentic APIs as if they were production infrastructure, and maintaining a comprehensive, continuous API inventory.
What does it mean for the CISO? It means API security risk is now a business risk. There’s no other way to put it: AI security failures are API failures, identity failures drive all breach outcomes, and autonomy simply increases the blast radius.
Don’t measure what gets disclosed, measure what gets exploited. The data already shows us where the true risk resides. Download the 2026 API ThreatStats report to get a full view of the evolving API threat landscape.
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his…
You probably think the security mantra “you can’t protect what you don’t know about” is…
APIs are one of the most important technologies in digital business ecosystems. And yet, the…
API security is becoming more important by the day and skilled practitioners are in high…
Is an AI-to-AI attack scenario a science fiction possibility only for blockbusters like the Terminator…
Lefteris Tzelepis, CISO at Steelmet /Viohalco Companies, was shaped by cybersecurity. From his early exposure…