AI Threat Alert
Model Poisoning
Model poisoning is a training-time attack that leaves the model functionally normal on most inputs but misbehaving on attacker-chosen triggers. The original BadNets paper showed this on image classifiers: stamp a small pixel pattern on a stop-sign image during training, and the deployed model misclassifies any future stop sign with the same pattern as a speed-limit sign. The same idea generalises to LLMs (trigger phrases that flip refusal behaviour), code models (triggers that emit insecure code), and reinforcement-learning agents (reward hacking via tampered reward signals). The attack is hard to detect because standard validation sets show no degradation. Federated learning is particularly exposed because the training data and gradients come from many untrusted clients. Defenses include trigger detection (Neural Cleanse, ABS), spectral signatures, robust aggregation in federated setups, and strict provenance on training data.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-4538 | AI component: Input Validation flaw enables exploitation | 7.8 | |
| UNKNOWN | CVE-2026-25083 | GROWI: Missing Auth allows unauthorized operations | - | |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| HIGH | CVE-2026-2033 | mlflow: Path Traversal enables file access | mlflow | 8.1 |
| CRITICAL | CVE-2026-2635 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| HIGH | CVE-2025-14287 | mlflow: Code Injection enables RCE | mlflow | 7.5 |
| CRITICAL | CVE-2025-15031 | mlflow: Path Traversal enables file access | mlflow | 9.1 |
| CRITICAL | CVE-2026-33017 | langflow: Code Injection enables RCE | langflow | 9.8 |
| MEDIUM | CVE-2026-27167 | gradio: Weak Credentials allow account compromise | gradio | 5.9 |
| HIGH | CVE-2026-27497 | n8n: SQL Injection exposes database | n8n | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| CRITICAL | CVE-2026-27577 | n8n: Code Injection enables RCE | n8n | 9.9 |
| HIGH | CVE-2021-41220 | TensorFlow: use-after-free in async collective ops | tensorflow | 7.8 |
| UNKNOWN | CVE-2025-21604 | AIDeepin: MD5 collision enables RAG knowledge base poisoning | - | |
| HIGH | CVE-2024-0452 | WordPress AI ChatBot: auth bypass enables OpenAI file upload | wpbot | 7.7 |
| HIGH | CVE-2023-6015 | MLflow: unauthenticated arbitrary file write via PUT | mlflow | 7.5 |
| CRITICAL | CVE-2023-6018 | MLflow: unauth file overwrite enables model poisoning | mlflow | 9.8 |
| MEDIUM | CVE-2024-3099 | MLflow: URL encoding bypass enables model poisoning | mlflow | 5.4 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | - |
Page 1 of 2