AI Threat Alert
Llama Stack exposed pgvector database credentials in plaintext initialization logs, affecting any deployment using pgvector as a vector store backend. Patch to llama-stack >= 0.4.4 immediately and rotate all pgvector passwords — assume any credentials logged prior to patching are compromised. Audit log access controls: if logs reached a SIEM, cloud log aggregator, or shared storage, treat the pgvector database as fully exposed.
Risk Assessment
Inherent CVSS is low (3.2) with local attack vector and high complexity, but the practical risk is elevated in typical enterprise AI deployments where logs are centralized in Splunk, Elastic, or cloud log services accessible to a broader audience than the application host. The scope change (S:C) in the vector indicates the credential exposure crosses into the pgvector database security boundary. EPSS near zero reflects no current weaponization, but credential-in-log vulnerabilities are trivial to exploit once an attacker gains any log read access — which is a common misconfiguration in AI dev environments.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| llama-stack | pip | < 0.4.4 | 0.4.4 |
Do you use llama-stack? You're affected.
Severity & Risk
Attack Surface
Recommended Action
1 step-
1) PATCH: Upgrade llama-stack to >= 0.4.4 immediately. 2) ROTATE: Change pgvector passwords on all affected instances regardless of perceived log exposure. 3) AUDIT LOGS: Search existing log archives for 'pgvector', 'password', 'postgres://', or similar connection string patterns — check SIEM, CloudWatch, Elastic, Splunk. 4) RESTRICT: Apply least-privilege access to application logs; logs containing initialization output should not be readable by application users or broad ops teams. 5) DETECT: Add a log monitoring rule for pgvector/PostgreSQL connection strings appearing in application logs. 6) VERIFY: Confirm no unauthorized connections to the pgvector database in the period between initial deployment and patching by reviewing PostgreSQL pg_stat_activity history or audit logs.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-25211?
Llama Stack exposed pgvector database credentials in plaintext initialization logs, affecting any deployment using pgvector as a vector store backend. Patch to llama-stack >= 0.4.4 immediately and rotate all pgvector passwords — assume any credentials logged prior to patching are compromised. Audit log access controls: if logs reached a SIEM, cloud log aggregator, or shared storage, treat the pgvector database as fully exposed.
Is CVE-2026-25211 actively exploited?
No confirmed active exploitation of CVE-2026-25211 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-25211?
1) PATCH: Upgrade llama-stack to >= 0.4.4 immediately. 2) ROTATE: Change pgvector passwords on all affected instances regardless of perceived log exposure. 3) AUDIT LOGS: Search existing log archives for 'pgvector', 'password', 'postgres://', or similar connection string patterns — check SIEM, CloudWatch, Elastic, Splunk. 4) RESTRICT: Apply least-privilege access to application logs; logs containing initialization output should not be readable by application users or broad ops teams. 5) DETECT: Add a log monitoring rule for pgvector/PostgreSQL connection strings appearing in application logs. 6) VERIFY: Confirm no unauthorized connections to the pgvector database in the period between initial deployment and patching by reviewing PostgreSQL pg_stat_activity history or audit logs.
What systems are affected by CVE-2026-25211?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, LLM application frameworks, AI agent frameworks.
What is the CVSS score for CVE-2026-25211?
CVE-2026-25211 has a CVSS v3.1 base score of 3.2 (LOW). The EPSS exploitation probability is 0.01%.
Technical Details
NVD Description
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
Exploitation Scenario
An attacker with read access to Llama Stack application logs — via a compromised CI/CD pipeline, misconfigured S3 bucket storing logs, over-permissioned CloudWatch log group, or insider access — extracts the pgvector connection string from the initialization log entry. The credential is valid for direct TCP access to the PostgreSQL/pgvector instance. The attacker connects directly to the vector database, bypassing Llama Stack entirely, and issues SQL queries against the vector tables to exfiltrate the entire embedding store and associated metadata (document chunks, source references, user query data if stored). In a second-stage attack, the attacker inserts crafted embeddings that poison RAG retrieval, causing the LLM to return attacker-controlled content to end users without any visible indicators of compromise.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Data Leakage CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Leakage CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Data Extraction