I've found something that looks like a security bug related to llama-stack and llama-stack-operator, affecting RHOAI 2.24 and RHOAI 2.25:

When UserA creates a LlamaStackDistribution in a namespace, a service is created. Using a notebook, UserA can use the llama_stack_client SDK with the service endpoint
The service is not secured by any Network Policy
UserB, running a notebook in a different namespace, can also query UserA's llama-stack service just having the endpoint, which is easy to guess.
I think the llama-stack-operator should add a NetworkPolicy protecting the llama-stack service, so only pods in the same namespace can access to it. I believe rhods-dashboard in redhat-ods-applications also needs to be able to access it for RHOAI 3.0
I'll create now a bug in Jira to track this.  Do you agree that this is a bug? Or users need to enable authentication to protect the llama-stack service?

Found in build:
rhoai-2.25 nightly build: 2025-10-01T06:19:17

How to reproduce:

As UserA, create a data science project, create a LlamaStackDistribution, start a workbench and run the attached notebook vector-stores-create-file (modifying the endpoint)
As UserB, create a data science project, start a workbench and run the attached notebook vector-stores-list-contents (modifying the endpoint). Verify that able to access UserA's information