AI Threat Alert
RAG
Retrieval-Augmented Generation pairs an LLM with an external knowledge store — typically a vector database holding embeddings of documents — so the model can ground its responses in up-to-date or proprietary information. The retrieval layer creates two distinct attack surfaces. First, the index itself can be poisoned: an attacker who can write into the source documents plants malicious content that the retriever will later surface to the LLM, enabling indirect prompt injection at retrieval time. Second, the embedding pipeline and the vector store (Pinecone, Weaviate, Chroma, pgvector, Qdrant) have their own vulnerabilities — authentication bypass, query injection, and unauthorized cross-tenant retrieval. RAG is also a common vector for training-data exfiltration when retrieved context is later used to fine-tune downstream models. Defenses: provenance tagging on retrieved content, source-aware system prompts, ACL-enforced retrieval, and tenant isolation in the vector store.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-36258 | LangChain: unauthenticated RCE via code injection | langchain | 9.8 |
| HIGH | CVE-2023-46229 | LangChain: SSRF in URL loader exposes internal network | langchain | 8.8 |
| CRITICAL | CVE-2024-2057 | LangChain TFIDFRetriever: SSRF/RCE via load_local | langchain | 9.8 |
| HIGH | CVE-2024-3095 | LangChain: SSRF in Web Retriever exposes cloud metadata | langchain | 7.7 |
| HIGH | CVE-2024-21513 | langchain-experimental: RCE via eval() in VectorSQL chain | langchain-experimental | 8.5 |
| HIGH | CVE-2024-5998 | LangChain: RCE via FAISS pickle deserialization | langchain | 7.8 |
| CRITICAL | CVE-2024-8309 | LangChain GraphCypher: prompt injection enables DB wipe | langchain | 9.8 |
| UNKNOWN | CVE-2025-21604 | AIDeepin: MD5 collision enables RAG knowledge base poisoning | - | |
| CRITICAL | CVE-2025-6853 | Langchain-Chatchat: path traversal in KB upload | langchain-chatchat | 9.8 |
| MEDIUM | CVE-2025-6854 | Langchain-Chatchat: path traversal in file API exposes host FS | langchain-chatchat | 4.3 |
| HIGH | CVE-2025-6855 | Langchain-Chatchat: path traversal exposes system files | langchain-chatchat | 8.8 |
| HIGH | CVE-2025-6984 | EverNoteLoader: XXE exposes host files in LangChain | langchain-community | 7.5 |
| HIGH | CVE-2025-6985 | langchain-text-splitters: XXE enables arbitrary file read | langchain-text-splitters | 7.5 |
| LOW | CVE-2026-26013 | langchain-core: SSRF allows internal network access | langchain_core | 3.7 |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| MEDIUM | CVE-2021-28796 | Qiita::Markdown: XSS in transformer components | 6.1 | |
| UNKNOWN | CVE-2026-0772 | langflow: Deserialization enables RCE | langflow | - |
| HIGH | CVE-2024-14021 | llamaindex: Deserialization enables RCE | llamaindex | 7.8 |
| HIGH | CVE-2024-45848 | MindsDB: RCE via eval() injection in ChromaDB INSERT | 8.8 | |
| HIGH | CVE-2026-26286 | sillytavern: SSRF allows internal network access | 8.5 |