Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-5fw2-mwhh-9947 | Flowise: unauth TTS endpoint exposes stored AI API keys | flowise | - |
| HIGH | GHSA-w47f-j8rh-wx87 | Flowise: credential exposure via public chatflow API | flowise | - |
| HIGH | GHSA-3prp-9gf7-4rxx | Flowise: Mass assignment enables cross-tenant store takeover | flowise | - |
| MEDIUM | GHSA-92jp-89mq-4374 | openclaw: auth bypass exposes sandbox browser session | openclaw | - |
| LOW | CVE-2026-6597 | langflow: Plaintext credential storage via Flow API | langflow | 2.7 |
| MEDIUM | CVE-2026-6598 | Langflow: cleartext auth storage exposes API keys | langflow | 4.3 |
| LOW | CVE-2026-6600 | Langflow: stored XSS in chat message editor | langflow | 3.5 |
| MEDIUM | CVE-2026-39378 | nbconvert: path traversal exfiltrates files via HTML export | nbconvert | 6.5 |
| HIGH | GHSA-2r2p-4cgf-hv7h | engramx: CSRF injects persistent prompts into AI agents | - | |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| HIGH | CVE-2026-41137 | Flowise: RCE via CSVAgent unsanitized code injection | flowise | 8.8 |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| CRITICAL | CVE-2026-41267 | Flowise: mass assignment auth bypass in registration | flowise | 9.8 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2026-41271 | Flowise: SSRF via prompt template injection in API Chain | flowise | 8.3 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |
| HIGH | CVE-2026-41273 | Flowise: auth bypass exposes OAuth 2.0 tokens | flowise | 8.2 |
| HIGH | CVE-2026-41275 | Flowise: HTTP password reset link allows MITM takeover | flowise | 7.5 |
| CRITICAL | CVE-2026-41276 | Flowise: auth bypass enables full account takeover via reset | flowise | 9.8 |