AI Threat Alert
Model Poisoning
Model poisoning is a training-time attack that leaves the model functionally normal on most inputs but misbehaving on attacker-chosen triggers. The original BadNets paper showed this on image classifiers: stamp a small pixel pattern on a stop-sign image during training, and the deployed model misclassifies any future stop sign with the same pattern as a speed-limit sign. The same idea generalises to LLMs (trigger phrases that flip refusal behaviour), code models (triggers that emit insecure code), and reinforcement-learning agents (reward hacking via tampered reward signals). The attack is hard to detect because standard validation sets show no degradation. Federated learning is particularly exposed because the training data and gradients come from many untrusted clients. Defenses include trigger detection (Neural Cleanse, ABS), spectral signatures, robust aggregation in federated setups, and strict provenance on training data.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-7707 | llama-index: world-writable NLTK dir allows local tampering | llama-index | 7.1 |
| HIGH | CVE-2025-7647 | llama-index-core: insecure /tmp dir, model theft risk | llama-index-core | 7.3 |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | - |
| MEDIUM | GHSA-r54c-2xmf-2cf3 | ms-swift: RCE via pickle deserialization in adapter models | ms-swift | - |
| MEDIUM | CVE-2025-3044 | llama-index ArxivReader: MD5 collision corrupts training data | llama-index-readers-papers | 5.3 |
| MEDIUM | CVE-2025-0508 | SageMaker SDK: MD5 collision silently replaces ML workflows | sagemaker | 5.9 |
| MEDIUM | CVE-2024-7041 | open-webui: IDOR enables cross-user memory tampering | open-webui | 6.5 |
| HIGH | CVE-2026-28788 | Open WebUI: BOLA enables RAG poisoning via file overwrite | open-webui | 7.1 |
| MEDIUM | CVE-2026-34450 | anthropic-sdk: insecure file perms expose agent memory | anthropic | - |
| MEDIUM | CVE-2026-35492 | kedro-datasets: path traversal enables arbitrary file write | kedro-datasets | 6.5 |
| HIGH | GHSA-3prp-9gf7-4rxx | Flowise: Mass assignment enables cross-tenant store takeover | flowise | - |
| HIGH | CVE-2026-41277 | Flowise: mass assignment enables cross-workspace IDOR | flowise | 8.8 |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| HIGH | CVE-2026-45398 | open-webui: IDOR exposes private RAG knowledge bases | open-webui | 7.5 |
| MEDIUM | CVE-2026-45396 | open-webui: mass assignment enables leaderboard poisoning | open-webui | 5.4 |
Page 2 of 2