Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-w47f-j8rh-wx87 | Flowise: credential exposure via public chatflow API | flowise | - |
| LOW | CVE-2026-6597 | langflow: Plaintext credential storage via Flow API | langflow | 2.7 |
| MEDIUM | CVE-2026-41495 | n8n-mcp: bearer tokens exposed in HTTP transport logs | n8n-mcp | 5.3 |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| MEDIUM | GHSA-wg4g-395p-mqv3 | n8n-mcp: credential exposure via HTTP transport logging | n8n-mcp | 4.3 |
| MEDIUM | CVE-2026-7141 | vllm: uninitialized KV cache memory leaks inference data | vllm | 5.6 |
| UNKNOWN | CVE-2026-41686 | @anthropic-ai/sdk: insecure file perms expose agent memory | @anthropic-ai/sdk | - |
| MEDIUM | CVE-2026-3345 | Langflow: path traversal allows arbitrary file read | langflow | 6.5 |
| CRITICAL | CVE-2026-7482 | Ollama: heap OOB read leaks API keys and chat data | ollama | 9.1 |
| MEDIUM | CVE-2026-41358 | OpenClaw: sender allowlist bypass via Slack thread context | openclaw | 5.4 |
| MEDIUM | GHSA-93rg-2xm5-2p9v | openclaw: auth bypass exposes Gateway bootstrap config | openclaw | - |
| MEDIUM | GHSA-cqmh-pcgr-q42f | @axonflow/openclaw: credential exposure via insecure file permissions | @axonflow/openclaw | 5.5 |
| HIGH | CVE-2026-44504 | Aegra: cross-tenant IDOR hijacks user thread data | aegra-api | - |
| MEDIUM | CVE-2026-44558 | open-webui: permission bypass exposes channels publicly | open-webui | 5.4 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| CRITICAL | CVE-2026-44211 | cline: WebSocket auth bypass enables terminal RCE | cline | 9.6 |
| MEDIUM | CVE-2026-42282 | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | 4.3 | |
| MEDIUM | CVE-2026-44337 | PraisonAI: SQL/CQL injection in knowledge-store backends | PraisonAI | 6.3 |
| LOW | CVE-2026-8026 | Flowise: info disclosure via login API response handler | flowise | 3.7 |
| HIGH | CVE-2026-45134 | LangSmith: prompt deserialization enables SSRF + data leak | langchain | 7.1 |