Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-44899 | mistune: CSS injection enables phishing UI overlay | mistune | 4.7 |
| MEDIUM | CVE-2026-44898 | mistune: XSS in TOC render via unescaped heading ID | mistune | 6.1 |
| HIGH | GHSA-wxrr-jp8m-qq7f | Flowise: mass assignment enables cross-workspace IDOR | flowise | - |
| HIGH | GHSA-mq53-pc65-wjc4 | Flowise: mass assignment breaks workspace isolation | flowise | - |
| HIGH | GHSA-7j65-65cr-6644 | Flowise: mass assignment breaks cross-workspace isolation | flowise | - |
| HIGH | GHSA-5h9v-837x-m97r | Flowise: mass assignment enables cross-workspace data takeover | flowise | - |
| HIGH | GHSA-728h-4mwj-f2p4 | Flowise: mass assignment breaks cross-workspace isolation | flowise | - |
| HIGH | GHSA-78pr-c5x5-jggc | Flowise: IDOR via mass assignment breaks tenant isolation | flowise | - |
| HIGH | GHSA-hmg2-jjjx-jcp2 | Flowise: missing authz on vector store CRUD endpoints | flowise | - |
| HIGH | CVE-2026-45732 | n8n: OAuth token hijack via credential permission bypass | n8n | 8.1 |
| CRITICAL | CVE-2026-44792 | n8n: SQL injection via poisoned Source Control git repo | n8n | 9.0 |
| CRITICAL | CVE-2026-44791 | n8n: XML node patch bypass enables host RCE | n8n | 9.9 |
| HIGH | CVE-2026-44790 | n8n: Git node arg injection enables full server compromise | n8n | 8.8 |
| HIGH | CVE-2026-45370 | utcp-cli: env leak exfiltrates all agent process secrets | utcp-cli | 7.7 |
| HIGH | CVE-2026-45675 | Open WebUI: TOCTOU race grants admin on first OAuth/LDAP | open-webui | 8.1 |
| HIGH | CVE-2026-45671 | Open WebUI: auth bypass enables mass file deletion | open-webui | 8.0 |
| MEDIUM | CVE-2026-45666 | open-webui: IDOR exposes cross-user note data | open-webui | 6.5 |
| HIGH | CVE-2026-45402 | open-webui: auth bypass exposes any user's private files via RAG | open-webui | 8.1 |
| HIGH | GHSA-3wgj-c2hg-vm6q | open-webui: XSS via OAuth SVG picture → account takeover | open-webui | 7.3 |
| HIGH | CVE-2026-45401 | open-webui: SSRF redirect bypass exposes internal services | open-webui | 8.5 |