Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-69x8-hrgq-fjj8 | LiteLLM: auth bypass chain enables full privilege escalation | litellm | - |
| MEDIUM | CVE-2026-39411 | LobeChat: auth bypass via forged XOR obfuscated header | @lobehub/lobehub | 5.0 |
| MEDIUM | GHSA-766v-q9x3-g744 | praisonaiagents: agent context leak + path traversal | praisonaiagents | 6.5 |
| HIGH | CVE-2026-39891 | praisonai: SSTI enables RCE via agent instructions | praisonai | 8.8 |
| HIGH | CVE-2026-39889 | PraisonAI: unauth A2U stream leaks all agent activity | praisonai | 7.5 |
| HIGH | GHSA-4ggg-h7ph-26qr | n8n-mcp: authenticated SSRF leaks cloud metadata | n8n-mcp | 8.5 |
| MEDIUM | CVE-2026-5803 | openai-realtime-ui: SSRF in API proxy endpoint | 6.3 | |
| MEDIUM | GHSA-926x-3r5x-gfhw | LangChain: f-string template injection exposes object internals | langchain-core | 5.3 |
| MEDIUM | CVE-2026-1163 | lollms: sessions persist after password reset | lollms | 4.1 |
| HIGH | CVE-2026-39974 | n8n-MCP: SSRF exposes cloud metadata via MCP headers | 8.5 | |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | - |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | - |
| MEDIUM | GHSA-vr5g-mmx7-h897 | OpenClaw: SSRF bypass via interaction-triggered navigation | openclaw | - |
| LOW | GHSA-5fc7-f62m-8983 | OpenClaw: local file read bypasses workspace policy | openclaw | - |
| MEDIUM | GHSA-3fv3-6p2v-gxwj | openclaw: SSRF bypass in QQ Bot media fetch paths | openclaw | - |
| MEDIUM | GHSA-qqq7-4hxc-x63c | openclaw: local file exfiltration via trusted MEDIA refs | openclaw | - |
| MEDIUM | CVE-2026-40087 | LangChain: template injection leaks object attributes | langchain-core | 5.3 |
| LOW | GHSA-cm8v-2vh9-cxf3 | openclaw: git env var injection enables host redirect | openclaw | - |
| MEDIUM | CVE-2026-40112 | PraisonAI: XSS via no-op HTML sanitizer in agent output | praisonai | 5.4 |
| MEDIUM | CVE-2026-40117 | PraisonAI: arbitrary file read via unguarded skill tool | praisonaiagents | 6.2 |