Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-47399 | praisonai-platform: IDOR breaks workspace tenant isolation | praisonai-platform | 8.8 |
| CRITICAL | CVE-2026-47407 | praisonai-platform: IDOR enables cross-tenant agent hijack | praisonai-platform | - |
| HIGH | CVE-2026-47394 | PraisonAI: MCP path traversal exfiltrates host credentials | PraisonAI | - |
| MEDIUM | CVE-2026-47395 | PraisonAI: SSRF via @url mention exposes localhost services | PraisonAI | 5.5 |
| CRITICAL | CVE-2026-47393 | PraisonAI: auth bypass in deployed API exposes LLM + tools | PraisonAI | 9.8 |
| MEDIUM | CVE-2026-43625 | CodexBar: session cookie leak via HTTP redirect | 5.9 | |
| MEDIUM | CVE-2026-28511 | eLabFTW: IDOR exposes restricted resource titles | 4.3 | |
| HIGH | CVE-2026-47419 | praisonai-platform: IDOR enables cross-workspace agent read/write/delete | praisonai-platform | 8.3 |
| MEDIUM | CVE-2026-46443 | Flowise: stored credentials exposed via API filter bug | flowise | 6.5 |
| HIGH | CVE-2026-46444 | Flowise: missing authz on vector store CRUD ops | flowise | 8.8 |
| HIGH | CVE-2026-46477 | Flowise: mass-assignment cross-workspace dataset takeover | flowise | 8.8 |
| HIGH | CVE-2026-46478 | Flowise: mass-assignment allows cross-workspace data takeover | flowise | 8.8 |
| HIGH | CVE-2026-46309 | Linux Xe iGPU: cache-bypass leaks cross-process stale data | 7.0 | |
| MEDIUM | CVE-2026-53815 | OpenClaw: auth bypass exposes restricted channel messages | openclaw | 6.5 |
| MEDIUM | CVE-2019-6576 | SIMATIC WinCC: TLS key disclosure enables traffic decryption | SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) | 6.5 |
| CRITICAL | CVE-2024-6877 | Panel: Reflected XSS enables session hijack in ML UI | Panel | - |
| LOW | CVE-2026-10813 | LMCache: weak hash enables KV cache integrity bypass | 3.6 | |
| MEDIUM | CVE-2026-48121 | LangGraph MongoDB: NoSQL injection leaks tenant checkpoints | @langchain/langgraph-checkpoint-mongodb | 6.7 |
| HIGH | CVE-2026-45830 | ChromaDB: auth bypass exposes any tenant's collections | chromadb | 8.8 |
| HIGH | CVE-2026-45831 | ChromaDB: RBAC bypass enables cross-tenant data access | chromadb | 8.8 |