Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-45400 | open-webui: SSRF bypass via URL parser mismatch | open-webui | 8.5 |
| HIGH | CVE-2026-45398 | open-webui: IDOR exposes private RAG knowledge bases | open-webui | 7.5 |
| MEDIUM | CVE-2026-45397 | Open WebUI: unauthenticated RAG config leaks AI pipeline | open-webui | 5.3 |
| MEDIUM | CVE-2026-45351 | Open WebUI: admin system prompts exposed to all users | open-webui | 6.5 |
| HIGH | CVE-2026-45349 | open-webui: auth bypass exposes all user chat histories | open-webui | 7.1 |
| MEDIUM | CVE-2026-45347 | Open WebUI: blind SSRF via PDF export HTML injection | open-webui | 4.3 |
| HIGH | CVE-2026-45338 | open-webui: SSRF via OAuth picture claim leaks internal data | open-webui | 7.7 |
| HIGH | CVE-2026-45331 | open-webui: SSRF bypass exposes cloud IAM credentials | open-webui | 8.5 |
| MEDIUM | CVE-2026-45318 | open-webui: Stored XSS via Office file preview bypass | open-webui | 5.4 |
| HIGH | CVE-2026-45314 | Open WebUI: Stored XSS via webhook SVG profile image | open-webui | - |
| HIGH | CVE-2026-45315 | open-webui: stored XSS → JWT theft and admin takeover | open-webui | 8.7 |
| HIGH | CVE-2026-45303 | Open WebUI: XSS iframe allows auth token exfiltration | open-webui | 7.7 |
| HIGH | CVE-2026-45301 | open-webui: BOLA exposes all users' uploaded files | open-webui | 8.1 |
| CRITICAL | CVE-2026-45311 | deepseek-tui: prompt injection enables zero-approval RCE | deepseek-tui | 9.6 |
| HIGH | CVE-2026-45310 | deepseek-tui: SSRF bypass leaks cloud IAM credentials | deepseek-tui | 7.4 |
| HIGH | CVE-2026-45665 | open-webui: Stored XSS enables Super Admin session hijack | open-webui | 8.1 |
| HIGH | CVE-2026-2652 | MLflow: auth bypass exposes Job API and trace injection | mlflow | 8.6 |
| HIGH | CVE-2026-45539 | Microsoft APM: symlink attack leaks host files in agent deps | apm | 7.4 |
| HIGH | CVE-2026-45548 | @budibase/server: SSRF in AI Extract bypasses IP blacklist | @budibase/server | 7.7 |
| HIGH | CVE-2026-8756 | Bert-VITS2: path traversal exposes ML training filesystem | 7.3 |