Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-892r-p3jq-jp24 | PraisonAI AgentOS: unauth remote agent invocation (CVSS 9.8) | praisonai | 9.8 |
| HIGH | GHSA-rjvw-7vvw-549v | PraisonAI: DNS rebinding bypasses webhook SSRF guard | praisonai | 7.2 |
| CRITICAL | GHSA-fq2m-6wqh-x44g | praisonai: unauthenticated Jobs API enables remote agent RCE | praisonai | 9.8 |
| HIGH | GHSA-2rcg-mm5h-xchx | praisonaiagents: @file: path traversal reads arbitrary files | praisonaiagents | 7.5 |
| HIGH | GHSA-vxgj-xg5c-p4h7 | praisonaiagents: SSRF DNS bypass exposes internal services | praisonaiagents | 8.5 |
| HIGH | GHSA-p4pj-vh7h-6cqh | praisonai: unauthenticated path traversal leaks server files | praisonai | 7.5 |
| MEDIUM | GHSA-pv2j-rghr-v5r9 | praisonaiagents: sandbox escape via format-spec read | praisonaiagents | 6.5 |
| MEDIUM | GHSA-6h9p-93hq-q7h6 | praisonaiagents: SSRF bypass via SpiderTools redirect | praisonaiagents | 6.5 |
| HIGH | GHSA-w6h2-fr4q-xvxv | PraisonAI: file tool shell injection enables RCE | praisonai | 8.8 |
| HIGH | GHSA-j7qx-p75m-wp7g | PraisonAI: path traversal exposes arbitrary host files | praisonai | 7.5 |
| HIGH | GHSA-qvpf-j64c-jmhr | PraisonAI: auth bypass via Slack app_mention handler | praisonai | 8.3 |
| HIGH | GHSA-vmf9-xx9w-86wx | PraisonAI: DNS rebinding exposes MCP agent tools | praisonai | 8.3 |
| HIGH | GHSA-22cj-m4wf-fv2c | PraisonAI: path traversal in agent tools exposes credentials | praisonai | 7.5 |
| HIGH | GHSA-5jv7-2mjm-h6qj | praisonai: shell allowlist bypass enables OS command injection | praisonai | 8.8 |
| CRITICAL | GHSA-j4f3-55x4-r6q2 | praisonai: MCP HTTP server unauthenticated tool invocation | praisonai | 9.8 |
| CRITICAL | GHSA-9752-mhqh-h34f | praisonai npm: AgentOS missing auth enables agent abuse | praisonai | 9.4 |
| CRITICAL | GHSA-p69m-4f92-2v84 | praisonai: sandbox escape in codeMode → full host RCE | praisonai | 9.8 |
| HIGH | GHSA-gqmf-56h7-rrpf | praisonai: network-isolated sandbox bypass exposes host network | praisonai | 7.6 |
| HIGH | CVE-2026-54002 | Kirby CMS: stored XSS bypasses DOM sanitizer via unwrap flaw | getkirby/cms | - |
| MEDIUM | CVE-2026-22551 | @theia/ai-chat: prompt injection exfiltrates workspace secrets | @theia/ai-ide | - |