Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-55450 | Langflow: unauthenticated upload → DoS + path disclosure | langflow | 9.3 |
| MEDIUM | CVE-2026-54019 | open-webui: RAG ACL bypass exposes private KB chunks | open-webui | 6.5 |
| HIGH | GHSA-jxcw-qp4h-6jfq | praisonai: incomplete auth fix exposes A2U agent streams | praisonai | 7.5 |
| HIGH | GHSA-vxgj-xg5c-p4h7 | praisonaiagents: SSRF DNS bypass exposes internal services | praisonaiagents | 8.5 |
| HIGH | GHSA-j7qx-p75m-wp7g | PraisonAI: path traversal exposes arbitrary host files | praisonai | 7.5 |
| MEDIUM | GHSA-35w5-pcw4-jx94 | praisonaiagents: unauth SSE endpoint enables event injection | praisonaiagents | 4.3 |
| MEDIUM | CVE-2026-50188 | Kirby CMS: CRLF injection overrides outbound HTTP headers | getkirby/cms | - |
| HIGH | CVE-2026-49276 | Kirby CMS: XSS via writer field malicious links | getkirby/cms | - |
| MEDIUM | CVE-2026-49274 | Kirby CMS: missing auth exposes restricted page titles | getkirby/cms | - |
| MEDIUM | CVE-2026-22551 | @theia/ai-chat: prompt injection exfiltrates workspace secrets | @theia/ai-ide | - |
| MEDIUM | CVE-2026-56077 | PraisonAI: agent ID collision leaks system prompts | PraisonAI | 6.5 |
| HIGH | CVE-2026-12773 | litellm: auth bypass in MCP proxy, no credentials required | litellm | 7.3 |
| MEDIUM | CVE-2026-12821 | Flowise: path traversal in S3 loader exposes documents | Flowise | 6.3 |
| HIGH | CVE-2026-9029 | Grafana: stored XSS in geomap bypasses CVE-2023-0507 fix | 7.3 | |
| HIGH | CVE-2026-54353 | Budibase: SSRF via DNS rebinding in automation steps | @budibase/backend-core | 8.5 |
| HIGH | CVE-2026-56268 | Flowise: cross-workspace chatflow config disclosure | Flowise | 7.7 |
| CRITICAL | CVE-2026-56348 | n8n: SSRF bypasses allowlist, exfiltrates credentials | n8n | 9.1 |
| MEDIUM | CVE-2026-22174 | OpenClaw: local token leak via CDP probe hijack | OpenClaw | 6.8 |
| HIGH | CVE-2026-22171 | OpenClaw: path traversal allows arbitrary file write | OpenClaw | 8.2 |
| MEDIUM | CVE-2026-32022 | OpenClaw: grep safeBins bypass enables arbitrary file read | OpenClaw | 6.5 |