AI Threat Alert
Privacy Violation
Privacy is an unusual security category in AI because the data is often inside the model rather than next to it. Three failure modes dominate. First, training-data memorization: models can be coaxed into emitting verbatim PII or copyrighted text from their corpus — a documented vector against several frontier LLMs. Second, vendor data retention: applications routinely send user content to third-party APIs (OpenAI, Anthropic, Google) where it may be retained, logged for safety review, or used to improve future models, depending on the contract; under GDPR this is a controller-processor relationship that requires DPAs and lawful basis. Third, application-layer leakage: chat histories cached without per-tenant keys, vector stores indexed without ACLs, and logs containing full prompts. Compliance frameworks now address this directly: ISO 42001 Annex A 9.x, EU AI Act Article 10 (Data Governance), and GDPR Article 25 (Data Protection by Design).
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-33484 | langflow: Access Control bypass enables privilege escalation | langflow | 7.5 |
| HIGH | CVE-2026-22219 | chainlit: SSRF allows internal network access | chainlit | 7.7 |
| MEDIUM | CVE-2026-33401 | Wallos: SSRF allows internal network access | 6.5 | |
| CRITICAL | CVE-2025-32428 | jupyter-remote-desktop-proxy: VNC network exposure | jupyter-remote-desktop-proxy | - |
| MEDIUM | CVE-2024-7046 | Open WebUI: missing authz leaks admin credentials | open-webui | 4.3 |
| HIGH | CVE-2025-25295 | Label Studio SDK: path traversal leaks server filesystem | label-studio-sdk | - |
| MEDIUM | CVE-2024-7041 | open-webui: IDOR enables cross-user memory tampering | open-webui | 6.5 |
| LOW | CVE-2026-29071 | Open WebUI: IDOR exposes AI memories and private files | open-webui | 3.1 |
| CRITICAL | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | 9.8 | |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| HIGH | CVE-2026-35394 | mobile-mcp: intent injection enables device control via AI agent | @mobilenext/mobile-mcp | 8.3 |
| MEDIUM | CVE-2026-5530 | Ollama: SSRF in Model Pull API enables network pivot | 6.3 | |
| MEDIUM | GHSA-2f7j-rp58-mr42 | OpenClaw: info disclosure exposes host filesystem paths | openclaw | - |
| HIGH | GHSA-69x8-hrgq-fjj8 | LiteLLM: auth bypass chain enables full privilege escalation | litellm | - |
| HIGH | GHSA-4ggg-h7ph-26qr | n8n-mcp: authenticated SSRF leaks cloud metadata | n8n-mcp | 8.5 |
| LOW | GHSA-5fc7-f62m-8983 | OpenClaw: local file read bypasses workspace policy | openclaw | - |
| MEDIUM | GHSA-qqq7-4hxc-x63c | openclaw: local file exfiltration via trusted MEDIA refs | openclaw | - |
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| HIGH | CVE-2026-40114 | PraisonAI: unauthenticated SSRF via unvalidated webhook_url | PraisonAI | 7.2 |
| MEDIUM | CVE-2026-40152 | praisonaiagents: glob traversal leaks filesystem metadata | praisonaiagents | 5.3 |