Definition
A time-of-check-time-of-use vulnerability where an AI service validates a resource or request at time T1, but an attacker modifies the resource between T1 and T2 when it is actually used, leading to unauthorized action. In AI chat platforms, this can enable SSRF or data exfiltration.
Why it matters
AI services operate at machine speed with minimal validation windows; a TOCTOU race becomes easier to exploit when requests flow through multiple async layers, enabling attackers to inject malicious data into chatbot uploads or DNS rebinding attacks.