AI Threat Alert

CVE-2026-25211: llama-stack: security flaw enables exploitation

GHSA-xmfj-7pp5-fxr6 LOW
Published January 30, 2026
CISO Take

Llama Stack exposed pgvector database credentials in plaintext initialization logs, affecting any deployment using pgvector as a vector store backend. Patch to llama-stack >= 0.4.4 immediately and rotate all pgvector passwords — assume any credentials logged prior to patching are compromised. Audit log access controls: if logs reached a SIEM, cloud log aggregator, or shared storage, treat the pgvector database as fully exposed.

What is the risk?

Inherent CVSS is low (3.2) with local attack vector and high complexity, but the practical risk is elevated in typical enterprise AI deployments where logs are centralized in Splunk, Elastic, or cloud log services accessible to a broader audience than the application host. The scope change (S:C) in the vector indicates the credential exposure crosses into the pgvector database security boundary. EPSS near zero reflects no current weaponization, but credential-in-log vulnerabilities are trivial to exploit once an attacker gains any log read access — which is a common misconfiguration in AI dev environments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Llama Stack pip < 0.4.4 0.4.4
8.4K 14 dependents Pushed 3d ago 100% patched ~0d to patch Full package profile →

Do you use Llama Stack? You're affected.

How severe is it?

CVSS 3.1
3.2 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC High
PR None
UI None
S Changed
C Low
I None
A None

What should I do?

1 step

  1. 1) PATCH: Upgrade llama-stack to >= 0.4.4 immediately. 2) ROTATE: Change pgvector passwords on all affected instances regardless of perceived log exposure. 3) AUDIT LOGS: Search existing log archives for 'pgvector', 'password', 'postgres://', or similar connection string patterns — check SIEM, CloudWatch, Elastic, Splunk. 4) RESTRICT: Apply least-privilege access to application logs; logs containing initialization output should not be readable by application users or broad ops teams. 5) DETECT: Add a log monitoring rule for pgvector/PostgreSQL connection strings appearing in application logs. 6) VERIFY: Confirm no unauthorized connections to the pgvector database in the period between initial deployment and patching by reviewing PostgreSQL pg_stat_activity history or audit logs.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Data Extraction RAG Framework AML.T0037 AML.T0055 AML.T0070 AML.T0085.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.1.2 - Information Security in AI System Lifecycle A.9.4 - Logging and monitoring of AI systems
NIST AI RMF
GOVERN 1.6 - Policies and practices address AI risks across the lifecycle MANAGE 2.2 - Mechanisms are in place to deal with AI risk and to recover from incidents MANAGE-2.2 - Risk Response — Treatment of Identified AI Risks
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-25211?

Llama Stack exposed pgvector database credentials in plaintext initialization logs, affecting any deployment using pgvector as a vector store backend. Patch to llama-stack >= 0.4.4 immediately and rotate all pgvector passwords — assume any credentials logged prior to patching are compromised. Audit log access controls: if logs reached a SIEM, cloud log aggregator, or shared storage, treat the pgvector database as fully exposed.

Is CVE-2026-25211 actively exploited?

No confirmed active exploitation of CVE-2026-25211 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25211?

1) PATCH: Upgrade llama-stack to >= 0.4.4 immediately. 2) ROTATE: Change pgvector passwords on all affected instances regardless of perceived log exposure. 3) AUDIT LOGS: Search existing log archives for 'pgvector', 'password', 'postgres://', or similar connection string patterns — check SIEM, CloudWatch, Elastic, Splunk. 4) RESTRICT: Apply least-privilege access to application logs; logs containing initialization output should not be readable by application users or broad ops teams. 5) DETECT: Add a log monitoring rule for pgvector/PostgreSQL connection strings appearing in application logs. 6) VERIFY: Confirm no unauthorized connections to the pgvector database in the period between initial deployment and patching by reviewing PostgreSQL pg_stat_activity history or audit logs.

What systems are affected by CVE-2026-25211?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, LLM application frameworks, AI agent frameworks.

What is the CVSS score for CVE-2026-25211?

CVE-2026-25211 has a CVSS v3.1 base score of 3.2 (LOW). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesvector databasesLLM application frameworksAI agent frameworks

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0055 Unsecured Credentials
AML.T0070 RAG Poisoning
AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2, A.9.4
NIST AI RMF: GOVERN 1.6, MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM02, LLM06, LLM08

What are the technical details?

Original Advisory

Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.

Exploitation Scenario

An attacker with read access to Llama Stack application logs — via a compromised CI/CD pipeline, misconfigured S3 bucket storing logs, over-permissioned CloudWatch log group, or insider access — extracts the pgvector connection string from the initialization log entry. The credential is valid for direct TCP access to the PostgreSQL/pgvector instance. The attacker connects directly to the vector database, bypassing Llama Stack entirely, and issues SQL queries against the vector tables to exfiltrate the entire embedding store and associated metadata (document chunks, source references, user query data if stored). In a second-stage attack, the attacker inserts crafted embeddings that poison RAG retrieval, causing the LLM to return attacker-controlled content to end users without any visible indicators of compromise.

Weaknesses (CWE)

CWE-532 Insertion of Sensitive Information into Log File Primary

CWE-532 — Insertion of Sensitive Information into Log File: The product writes sensitive information to a log file.

  • [Architecture and Design, Implementation] Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
  • [Distribution] Remove debug log files before deploying the application into production.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

Timeline

Published
January 30, 2026
Last Modified
January 30, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed