Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-47414 | praisonai-platform: IDOR cross-workspace label tampering | praisonai-platform | 7.6 |
| HIGH | CVE-2026-47406 | praisonai-platform: IDOR enables cross-workspace data poisoning | praisonai-platform | 8.1 |
| CRITICAL | CVE-2026-47410 | praisonai-platform: hardcoded JWT → full account takeover | praisonai-platform | 9.8 |
| HIGH | CVE-2026-47399 | praisonai-platform: IDOR breaks workspace tenant isolation | praisonai-platform | 8.8 |
| CRITICAL | CVE-2026-47407 | praisonai-platform: IDOR enables cross-tenant agent hijack | praisonai-platform | - |
| MEDIUM | CVE-2026-47408 | praisonai-platform: IDOR exposes cross-tenant activity logs | praisonai-platform | 6.5 |
| HIGH | CVE-2026-48169 | praisonai-platform: IDOR allows full workspace takeover | praisonai-platform | 8.8 |
| HIGH | CVE-2026-47394 | PraisonAI: MCP path traversal exfiltrates host credentials | PraisonAI | - |
| MEDIUM | CVE-2026-47395 | PraisonAI: SSRF via @url mention exposes localhost services | PraisonAI | 5.5 |
| CRITICAL | CVE-2026-47396 | PraisonAI: fail-open auth exposes remote agent control API | PraisonAI | 9.8 |
| MEDIUM | CVE-2026-47390 | PraisonAI: SSRF bypass via loopback alias encodings | PraisonAI | 5.5 |
| HIGH | CVE-2026-47415 | praisonai-platform: IDOR exposes cross-workspace tenant data | praisonai-platform | 8.3 |
| CRITICAL | CVE-2026-47413 | praisonai-platform: member can escalate to workspace owner | praisonai-platform | 9.6 |
| MEDIUM | CVE-2026-47411 | PraisonAI: auth bypass allows workspace settings injection | praisonai-platform | 6.5 |
| HIGH | CVE-2026-47417 | praisonai-platform: IDOR enables cross-tenant comment exfil | praisonai-platform | 8.1 |
| HIGH | CVE-2026-47418 | praisonai-platform: IDOR exposes cross-workspace projects | praisonai-platform | 8.1 |
| CRITICAL | CVE-2026-9319 | IBM WebSphere: RCE via JAX-WS deserialization (CVSS 9.0) | 9.0 | |
| MEDIUM | CVE-2026-3198 | MLflow: auth bypass exposes gateway secrets and keys | mlflow | 6.5 |
| HIGH | CVE-2026-5422 | jupyter-server: path traversal exposes sibling dir files | jupyter | 8.1 |
| HIGH | CVE-2026-31942 | LibreChat: IDOR enables cross-user API key hijacking | 7.1 |