Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-9699 | Mattermost: OpenAI API key leaks into logs on auth errors | 6.8 | |
| HIGH | CVE-2026-5757 | Ollama: unauthenticated heap memory disclosure | Ollama | 7.5 |
| CRITICAL | GHSA-98x5-vq43-vc5p | semantic-router: unpinned litellm dep pulls malware wheel | litellm | - |
| HIGH | CVE-2026-57947 | Pinpoint APM: SSRF via alarm webhook registration | pinpoint | 8.5 |
| MEDIUM | CVE-2026-57948 | Pinpoint: insecure JWT cookie enables session hijacking | pinpoint | 6.8 |
| UNKNOWN | CVE-2026-12243 | NLTK: path traversal enables arbitrary file read | - | |
| HIGH | CVE-2026-10129 | Langflow: SSRF protection bypass via redirect | langflow | 8.5 |
| CRITICAL | CVE-2026-10134 | Langflow: unauthenticated RCE via tool_code injection | langflow | 10.0 |
| CRITICAL | CVE-2026-10140 | Langflow: cross-tenant API credential leak via cache bug | langflow | 9.6 |
| MEDIUM | CVE-2026-10546 | Langflow: SSRF via DNS rebinding in URL component | langflow | 6.5 |
| CRITICAL | CVE-2026-10560 | Langflow: missing auth on build API leaks data, enables DoS | langflow | 9.1 |
| CRITICAL | CVE-2026-7663 | Langflow: auth bypass in MCP transport exposes projects | langflow | 9.8 |
| CRITICAL | CVE-2026-7871 | Langflow: Redis-access deserialization enables full RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-7873 | Langflow: authenticated RCE enables credential theft | langflow | 9.9 |
| CRITICAL | CVE-2026-7874 | Langflow: weak reversible KDF exposes all stored credentials | langflow | 9.1 |
| UNKNOWN | CVE-2026-56277 | Flowise: wildcard CORS on TTS endpoint abuses creds | Flowise | - |
| MEDIUM | CVE-2026-56399 | Open WebUI: SSRF in web retrieval hits internal services | open-webui | 5.0 |
| MEDIUM | CVE-2026-56777 | n8n: AST validator bypass leaks env vars in Python node | n8n | 5.0 |
| UNKNOWN | CVE-2026-12480 | Keras: incomplete fix reopens HDF5 arbitrary file read | keras | - |
| MEDIUM | CVE-2026-49088 | Kibana: sensitive headers leaked via APM logs | 4.4 |