Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-7g73-99r4-m4mj | Flowise: credential data leak via filtered API endpoint | flowise | - |
| HIGH | GHSA-hp26-q66v-q2w7 | Flowise: mass assignment breaks multi-tenant isolation | flowise | - |
| HIGH | GHSA-wxrr-jp8m-qq7f | Flowise: mass assignment enables cross-workspace IDOR | flowise | - |
| HIGH | GHSA-hmg2-jjjx-jcp2 | Flowise: missing authz on vector store CRUD endpoints | flowise | - |
| HIGH | CVE-2026-44790 | n8n: Git node arg injection enables full server compromise | n8n | 8.8 |
| HIGH | CVE-2026-45370 | utcp-cli: env leak exfiltrates all agent process secrets | utcp-cli | 7.7 |
| HIGH | CVE-2026-45402 | open-webui: auth bypass exposes any user's private files via RAG | open-webui | 8.1 |
| HIGH | CVE-2026-45401 | open-webui: SSRF redirect bypass exposes internal services | open-webui | 8.5 |
| MEDIUM | CVE-2026-45387 | open-webui: system prompt leakage via model read API | open-webui | 4.3 |
| MEDIUM | CVE-2026-45351 | Open WebUI: admin system prompts exposed to all users | open-webui | 6.5 |
| MEDIUM | CVE-2026-45317 | Open-WebUI: CSRF image URL leaks session cookies | open-webui | 4.6 |
| MEDIUM | CVE-2026-45299 | open-webui: Stored SVG XSS enables admin JWT theft | open-webui | 5.4 |
| MEDIUM | CVE-2026-45582 | n8n-mcp: telemetry leak exposes workflow URL secrets | n8n-mcp | 6.5 |
| HIGH | CVE-2026-8596 | SageMaker SDK: cleartext HMAC key enables model artifact RCE | sagemaker | 7.2 |
| CRITICAL | CVE-2026-46695 | Boxlite: read-only bypass enables host code execution | boxlite-cli | 10.0 |
| MEDIUM | CVE-2026-44176 | Kirby CMS: auth bypass exposes restricted page drafts | getkirby/cms | - |
| MEDIUM | CVE-2026-48545 | Gradio: cookie injection hijacks cross-Space sessions | gradio | 6.8 |
| UNKNOWN | CVE-2026-9806 | CTI Transmute: stored XSS in notification panel | - | |
| MEDIUM | GHSA-rf84-wr5g-m3rp | CAPM3: cross-namespace auth bypass exposes K8s secrets | github.com/metal3-io/cluster-api-provider-metal3 | 5.5 |
| HIGH | CVE-2026-47405 | PraisonAI Platform: member self-promotes to workspace owner | praisonai-platform | 8.8 |