Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-42229 | n8n: SQL injection in SeaTable node leaks restricted rows | n8n | - |
| UNKNOWN | CVE-2026-42233 | n8n: SQL injection in Oracle node allows data exfiltration | n8n | - |
| UNKNOWN | CVE-2026-42237 | n8n: SQL injection in Snowflake/MySQL nodes bypasses fix | n8n | - |
| HIGH | CVE-2026-40171 | Jupyter Notebook: stored XSS enables full account takeover | @jupyterlab/help-extension | - |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |
| MEDIUM | CVE-2026-3340 | IBM Langflow: SSRF enables internal network enumeration | langflow | 6.5 |
| MEDIUM | CVE-2026-3346 | Langflow Desktop: stored XSS enables credential theft | langflow | 6.4 |
| HIGH | CVE-2026-4503 | Langflow Desktop: IDOR leaks user images unauthenticated | langflow | 7.5 |
| MEDIUM | CVE-2026-3345 | Langflow: path traversal allows arbitrary file read | langflow | 6.5 |
| HIGH | CVE-2026-6542 | Langflow: IDOR exposes cross-tenant flow data and deletion | langflow | 8.1 |
| HIGH | CVE-2026-6543 | Langflow: RCE exposes API keys and DB credentials | langflow | 8.8 |
| MEDIUM | CVE-2026-7687 | Langflow: command injection in code parser enables RCE | langflow | 6.3 |
| MEDIUM | CVE-2026-7700 | Langflow: eval() code injection → remote code execution | langflow | 6.3 |
| CRITICAL | CVE-2026-7482 | Ollama: heap OOB read leaks API keys and chat data | ollama | 9.1 |
| MEDIUM | GHSA-5h3g-6xhh-rg6p | openclaw: TOCTOU race allows out-of-sandbox file read | openclaw | - |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | - |
| MEDIUM | GHSA-2hh7-c75g-qj2r | openclaw: SSRF bypass via Zalo plugin photo URLs | openclaw | - |
| MEDIUM | CVE-2026-7844 | Langchain-Chatchat: auth bypass on file service endpoints | 6.3 | |
| LOW | CVE-2026-7847 | Langchain-Chatchat: predictable file IDs leak uploaded files | langchain-chatchat | 2.6 |
| MEDIUM | CVE-2026-40934 | jupyter-server: auth cookie survives password reset | jupyter-server | 6.8 |