AI Threat Alert
ATLAS Landscape
AML.T0020
Poison Training Data
Adversaries may attempt to poison datasets used by an AI model by modifying the underlying data or its labels. This allows the adversary to embed vulnerabilities in AI models trained on the data that may not be easily detectable. Data poisoning attacks may or may not require modifying the labels. The embedded vulnerability is activated at a later time by data samples with an [Insert Backdoor Trigger](/techniques/AML.T0043.004) Poisoned data can be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010) or the data may be poisoned after the adversary gains [Initial Access](/tactics/AML.TA0004) to the system.
22 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-2635 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2023-6018 | MLflow: unauth file overwrite enables model poisoning | mlflow | 9.8 |
| CRITICAL | CVE-2025-33244 | NVIDIA: Deserialization enables RCE | 9.0 | |
| HIGH | CVE-2021-41220 | TensorFlow: use-after-free in async collective ops | tensorflow | 7.8 |
| HIGH | CVE-2025-33233 | NVIDIA: Code Injection enables RCE | 7.8 | |
| HIGH | CVE-2024-0452 | WordPress AI ChatBot: auth bypass enables OpenAI file upload | wpbot | 7.7 |
| HIGH | CVE-2023-6015 | MLflow: unauthenticated arbitrary file write via PUT | mlflow | 7.5 |
| HIGH | CVE-2025-7647 | llama-index-core: insecure /tmp dir, model theft risk | llama-index-core | 7.3 |
| HIGH | CVE-2025-7707 | llama-index: world-writable NLTK dir allows local tampering | llama-index | 7.1 |
| MEDIUM | CVE-2026-35492 | kedro-datasets: path traversal enables arbitrary file write | kedro-datasets | 6.5 |
| MEDIUM | CVE-2022-23563 | TensorFlow: TOC/TOU race allows temp file hijacking | tensorflow | 6.3 |
| MEDIUM | CVE-2025-25296 | Label Studio: reflected XSS via label_config param | label-studio | 6.1 |
| MEDIUM | CVE-2025-0508 | SageMaker SDK: MD5 collision silently replaces ML workflows | sagemaker | 5.9 |
| MEDIUM | CVE-2022-29211 | TensorFlow: NaN input crashes histogram op (CPU DoS) | tensorflow | 5.5 |
| MEDIUM | CVE-2025-3044 | llama-index ArxivReader: MD5 collision corrupts training data | llama-index-readers-papers | 5.3 |
| MEDIUM | CVE-2025-13354 | taxopress: Missing Auth allows unauthorized operations | 4.3 | |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |
| HIGH | CVE-2025-47783 | Label Studio: XSS enables unauthorized actions via CSRF | label-studio | — |
| HIGH | CVE-2026-2472 | google-cloud-aiplatform: XSS enables session hijacking | — | |
| HIGH | CVE-2026-22033 | label-studio: XSS enables session hijacking | label-studio | — |
| LOW | CVE-2025-65858 | — | ||
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | — |