RAG
Retrieval-Augmented Generation pairs an LLM with an external knowledge store — typically a vector database holding embeddings of documents — so the model can ground its responses in up-to-date or proprietary information. The retrieval layer creates two distinct attack surfaces. First, the index itself can be poisoned: an attacker who can write into the source documents plants malicious content that the retriever will later surface to the LLM, enabling indirect prompt injection at retrieval time. Second, the embedding pipeline and the vector store (Pinecone, Weaviate, Chroma, pgvector, Qdrant) have their own vulnerabilities — authentication bypass, query injection, and unauthorized cross-tenant retrieval. RAG is also a common vector for training-data exfiltration when retrieved context is later used to fine-tune downstream models. Defenses: provenance tagging on retrieved content, source-aware system prompts, ACL-enforced retrieval, and tenant isolation in the vector store.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-8828 | ChromaDB: tenant isolation bypass exposes all tenant data | chromadb | - |
| MEDIUM | CVE-2026-48148 | Budibase: SSRF via VectorDB host exposes cloud metadata | @budibase/server | - |
| MEDIUM | CVE-2026-53825 | OpenClaw: path traversal exposes local files via wiki ingest | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-42867 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| UNKNOWN | CVE-2026-54313 | n8n: MongoDB query injection overwrites arbitrary documents | n8n | - |
| MEDIUM | CVE-2026-54016 | Open WebUI: BOLA exposes private knowledge base files | open-webui | 4.3 |
| HIGH | CVE-2026-54012 | Open WebUI: auth bypass enables cross-user file read/delete | open-webui | 7.1 |
| MEDIUM | CVE-2026-54019 | open-webui: RAG ACL bypass exposes private KB chunks | open-webui | 6.5 |
| HIGH | CVE-2026-54018 | open-webui: SSRF via redirect bypass in Playwright loader | open-webui | 7.7 |
| HIGH | CVE-2026-55405 | langchain4j: SQL injection in vector store filters | dev.langchain4j:langchain4j-pgvector | 7.6 |
| CRITICAL | CVE-2026-12048 | pgAdmin 4: Stored XSS enables full browser session hijack | 9.3 | |
| CRITICAL | CVE-2026-55447 | Langflow: TAR symlink traversal enables full RCE | langflow | 9.6 |
| MEDIUM | CVE-2026-12821 | Flowise: path traversal in S3 loader exposes documents | Flowise | 6.3 |
| CRITICAL | CVE-2026-54158 | SiYuan: XSS→RCE via workspace sync in Electron app | 9.9 | |
| HIGH | CVE-2026-23536 | Feast: unauth path traversal leaks any file | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 7.5 |
| MEDIUM | CVE-2026-56399 | Open WebUI: SSRF in web retrieval hits internal services | open-webui | 5.0 |
| CRITICAL | CVE-2026-50027 | mcp-memory-service: auth bypass on document API | mcp-memory-service | 9.8 |
| CRITICAL | CVE-2026-55615 | Langroid: unvalidated LLM Cypher enables graph RCE | langroid | - |
| HIGH | CVE-2026-26192 | Open WebUI: stored XSS via citation iFrame → admin RCE | open-webui | 7.3 |
| MEDIUM | CVE-2026-56273 | Flowise: path traversal in vector store basePath | flowise | 6.5 |
Page 6 of 6