AI Threat Alert
RAG
Retrieval-Augmented Generation pairs an LLM with an external knowledge store — typically a vector database holding embeddings of documents — so the model can ground its responses in up-to-date or proprietary information. The retrieval layer creates two distinct attack surfaces. First, the index itself can be poisoned: an attacker who can write into the source documents plants malicious content that the retriever will later surface to the LLM, enabling indirect prompt injection at retrieval time. Second, the embedding pipeline and the vector store (Pinecone, Weaviate, Chroma, pgvector, Qdrant) have their own vulnerabilities — authentication bypass, query injection, and unauthorized cross-tenant retrieval. RAG is also a common vector for training-data exfiltration when retrieved context is later used to fine-tune downstream models. Defenses: provenance tagging on retrieved content, source-aware system prompts, ACL-enforced retrieval, and tenant isolation in the vector store.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-7035 | Open WebUI: CSRF wipes RAG DB and AI memories via GET | open-webui | 6.9 |
| MEDIUM | CVE-2024-12910 | llama-index: DoS via infinite recursion in web reader | llama-index | 5.9 |
| HIGH | GHSA-5ccf-884p-4jjq | open-webui: DoS via unauthenticated multipart parsing | open-webui | 7.5 |
| MEDIUM | CVE-2024-2965 | langchain-community: DoS via recursive sitemap loop | langchain | 4.2 |
| LOW | CVE-2024-6971 | lollms: path traversal in RAG database functions | lollms | 3.4 |
| LOW | CVE-2024-7038 | open-webui: filesystem enumeration via admin error messages | open-webui | 2.7 |
| LOW | CVE-2026-29071 | Open WebUI: IDOR exposes AI memories and private files | open-webui | 3.1 |
| MEDIUM | CVE-2026-29070 | open-webui: missing authz allows cross-KB file deletion | open-webui | 5.4 |
| HIGH | CVE-2026-28788 | Open WebUI: BOLA enables RAG poisoning via file overwrite | open-webui | 7.1 |
| CRITICAL | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | 9.8 | |
| HIGH | CVE-2026-3357 | Langflow: deserialization RCE via FAISS component default | langflow | 8.8 |
| MEDIUM | CVE-2026-40112 | PraisonAI: XSS via no-op HTML sanitizer in agent output | praisonai | 5.4 |
| MEDIUM | GHSA-fv5p-p927-qmxr | langchain-text-splitters: SSRF bypass exposes cloud metadata | langchain-text-splitters | 6.5 |
| MEDIUM | GHSA-w6v6-49gh-mc9w | Flowise: path traversal allows arbitrary file write via vector store | flowise-components | - |
| HIGH | GHSA-3prp-9gf7-4rxx | Flowise: Mass assignment enables cross-tenant store takeover | flowise | - |
| HIGH | CVE-2026-41277 | Flowise: mass assignment enables cross-workspace IDOR | flowise | 8.8 |
| MEDIUM | CVE-2026-41481 | LangChain: SSRF redirect bypass exposes internal endpoints | langchain | 6.5 |
| MEDIUM | CVE-2026-7844 | Langchain-Chatchat: auth bypass on file service endpoints | 6.3 | |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |
| CRITICAL | CVE-2026-42048 | Langflow: path traversal allows arbitrary directory deletion | langflow | 9.6 |