Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| HIGH | CVE-2026-40217 | LiteLLM: RCE via bytecode rewriting in guardrails API | litellm | 8.8 |
| CRITICAL | GHSA-8x8f-54wf-vv92 | PraisonAI: auth bypass enables browser session hijack | PraisonAI | 9.1 |
| MEDIUM | GHSA-x783-xp3g-mqhp | PraisonAI: SQL injection via table_prefix exposes DB | PraisonAI | - |
| HIGH | CVE-2026-40114 | PraisonAI: unauthenticated SSRF via unvalidated webhook_url | PraisonAI | 7.2 |
| MEDIUM | GHSA-ffp3-3562-8cv3 | PraisonAI: tool approval bypass leaks env credentials | praisonaiagents | 5.5 |
| HIGH | CVE-2026-40160 | praisonaiagents: SSRF in web_crawl exposes cloud metadata | praisonaiagents | - |
| HIGH | GHSA-x462-jjpc-q4q4 | praisonaiagents: CORS bypass enables silent agent RCE | praisonaiagents | 8.1 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| HIGH | CVE-2026-40158 | PraisonAI: AST sandbox bypass enables host RCE | PraisonAI | 8.6 |
| MEDIUM | CVE-2026-40152 | praisonaiagents: glob traversal leaks filesystem metadata | praisonaiagents | 5.3 |
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| MEDIUM | CVE-2026-40151 | PraisonAI: unauthenticated agent config and system prompt disclosure | PraisonAI | 5.3 |
| MEDIUM | CVE-2026-35657 | openclaw: auth bypass exposes agent session history via HTTP | openclaw | 6.5 |
| CRITICAL | CVE-2026-1115 | lollms: Stored XSS enables wormable account takeover | lollms | 9.6 |
| MEDIUM | CVE-2026-40086 | rembg: path traversal exposes arbitrary files via HTTP API | rembg | 5.3 |
| MEDIUM | CVE-2026-6011 | OpenClaw: SSRF via web-fetch enables internal network pivot | openclaw | 5.6 |
| MEDIUM | CVE-2026-35646 | openclaw: webhook rate-limit bypass enables token brute-force | openclaw | 4.8 |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | 7.4 |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | - |