Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-52812 | Gogs LFS: cross-tenant object disclosure via dedupe bypass | gogs.io/gogs | - |
| MEDIUM | GHSA-7cqp-7cfv-6c3q | AVideo Meet: Stored XSS via User-Agent → admin takeover | wwbn/avideo | - |
| HIGH | CVE-2026-7574 | Claude Desktop: VM integrity bypass enables RCE | Claude Desktop Cowork | 8.7 |
| MEDIUM | CVE-2025-71332 | Flowise: SQL injection exposes AI credential store | Flowise | 6.5 |
| MEDIUM | CVE-2026-56272 | Flowise: weak bcrypt enables 30x faster password cracking | Flowise | 4.1 |
| MEDIUM | CVE-2026-56269 | Flowise: hardcoded JWT secret leaks user/workspace IDs | Flowise | 4.6 |
| HIGH | CVE-2026-56270 | Flowise: auth bypass exposes OAuth secrets in cleartext | Flowise | 7.5 |
| HIGH | CVE-2026-56351 | n8n: SQL injection in DB nodes via identifier values | n8n | 8.2 |
| MEDIUM | CVE-2026-56358 | n8n: stored XSS in Form Trigger enables form hijacking | n8n | 5.4 |
| UNKNOWN | CVE-2026-50709 | Frappe Framework: Stored XSS in Notifications Events panel | - | |
| CRITICAL | CVE-2026-54158 | SiYuan: XSS→RCE via workspace sync in Electron app | github.com/siyuan-note/siyuan/kernel | 9.9 |
| MEDIUM | CVE-2026-54033 | LibreChat: SSRF via custom API baseURL exposes internal network | 6.5 | |
| UNKNOWN | CVE-2026-4930 | SiXG301 SYMCRYPTO: DPA bypass weakens hardware crypto keys | - | |
| CRITICAL | CVE-2025-71327 | Flowise: auth bypass grants full API access | Flowise | 9.1 |
| HIGH | CVE-2025-71324 | Flowise: path traversal leaks database unauthenticated | Flowise | 7.5 |
| HIGH | CVE-2025-71328 | Flowise: unverified password change enables account takeover | Flowise | 8.3 |
| CRITICAL | CVE-2025-71334 | Flowise: path traversal → RCE via missing UUID validation | Flowise | 9.8 |
| HIGH | CVE-2026-23536 | Feast: unauth path traversal leaks any file | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 7.5 |
| HIGH | CVE-2026-10564 | Langflow: SSRF via RSS/SearXNG exposes cloud IAM creds | langflow | 8.2 |
| CRITICAL | CVE-2026-50027 | mcp-memory-service: auth bypass on document API | mcp-memory-service | 9.8 |