Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-40110 | Jupyter Server: CORS bypass via regex anchor omission | jupyter-server | 7.1 |
| HIGH | CVE-2026-35397 | Jupyter Server: path traversal leaks sibling directories | jupyter-server | 7.1 |
| HIGH | CVE-2026-44335 | praisonaiagents: SSRF via URL parser confusion bypass | praisonaiagents | - |
| HIGH | CVE-2026-44504 | Aegra: cross-tenant IDOR hijacks user thread data | aegra-api | - |
| MEDIUM | CVE-2026-40610 | BentoML: symlink traversal exfiltrates host secrets at build | bentoml | 5.5 |
| HIGH | CVE-2026-42203 | LiteLLM: SSTI in prompt template endpoint enables RCE | litellm | 8.8 |
| CRITICAL | CVE-2026-42208 | LiteLLM: SQL injection exposes LLM API credentials | litellm | 9.8 |
| MEDIUM | CVE-2026-44563 | open-webui: auth bypass exposes restricted LLM models | open-webui | 5.4 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| MEDIUM | CVE-2026-44559 | open-webui: private channel member list exposed to any user | open-webui | 4.3 |
| MEDIUM | CVE-2026-44557 | open-webui: auth bypass exposes all knowledge base metadata | open-webui | 4.3 |
| HIGH | CVE-2026-44556 | open-webui: auth bypass allows unrestricted model access | open-webui | 7.1 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | CVE-2026-44553 | open-webui: stale Socket.IO role allows cross-user note R/W | open-webui | 8.1 |
| CRITICAL | CVE-2026-44551 | open-webui: LDAP auth bypass — full account takeover | open-webui | 9.1 |
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | - |
| MEDIUM | CVE-2026-44708 | mistune: math plugin XSS bypasses escape=True control | mistune | 6.1 |
| HIGH | CVE-2026-44567 | Open WebUI: auth bypass gives pending users full LLM access | open-webui | 7.3 |