AML.T0037

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. This can include basic fingerprinting information and sensitive data such as ssh keys.

206 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2026-21858	n8n: Input Validation flaw enables exploitation	n8n	10.0
CRITICAL	CVE-2025-2828	LangChain RequestsToolkit: SSRF exposes cloud metadata	langchain	10.0
CRITICAL	CVE-2023-3765	MLflow: path traversal allows arbitrary file read	mlflow	10.0
CRITICAL	CVE-2026-25053	n8n: Command Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-25052	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-27494	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2024-31224	gpt_academic: deserialization RCE, no auth required	gpt_academic	9.8
CRITICAL	CVE-2023-1177	MLflow: path traversal allows arbitrary file read/write	mlflow	9.8
CRITICAL	CVE-2023-2780	MLflow: path traversal allows arbitrary file read/write	mlflow	9.8
CRITICAL	CVE-2024-11958	llama-index DuckDB retriever: SQLi enables RCE	llama-index-retrievers-duckdb-retriever	9.8
CRITICAL	CVE-2024-47167	Gradio: unauthenticated SSRF in /queue/join, internal pivot	gradio	9.8
CRITICAL	CVE-2024-3234	ChuanhuChatGPT: path traversal exposes LLM API keys	chuanhuchatgpt	9.8
CRITICAL	CVE-2026-33017	langflow: Code Injection enables RCE	langflow	9.8
CRITICAL	CVE-2024-23751	LlamaIndex: SQL injection in Text-to-SQL feature	llamaindex	9.8
CRITICAL	CVE-2024-41119	streamlit-geospatial: RCE via eval() on vis_params input	streamlit-geospatial	9.8
CRITICAL	CVE-2025-6853	Langchain-Chatchat: path traversal in KB upload	langchain-chatchat	9.8
CRITICAL	CVE-2024-41115	streamlit-geospatial: eval() injection enables RCE	streamlit-geospatial	9.8
CRITICAL	CVE-2024-41113	streamlit-geospatial: RCE via eval() in Timelapse page	streamlit-geospatial	9.8
CRITICAL	CVE-2025-13374	Kalrav: Arbitrary File Upload enables RCE		9.8
CRITICAL	CVE-2025-45150	ChatGLM-Webui: arbitrary file read, no auth required	langchain-chatglm-webui	9.8
CRITICAL	CVE-2025-9556	langchaingo: Jinja2 SSTI allows host filesystem read		9.8
CRITICAL	CVE-2025-11201	mlflow: Path Traversal enables file access	mlflow	9.8
CRITICAL	CVE-2024-0964	Gradio: unauthenticated LFI exposes full server filesystem	gradio	9.4
CRITICAL	CVE-2024-3573	MLflow: LFI via URI parsing allows arbitrary file read	mlflow	9.3
CRITICAL	CVE-2023-6021	Ray: LFI allows unauthenticated file read	ray	9.3
CRITICAL	CVE-2023-6020	Ray: unauthenticated LFI exposes entire filesystem	ray	9.3
CRITICAL	CVE-2026-0545	MLflow: auth bypass in job API enables unauthenticated RCE	mlflow	9.1
CRITICAL	CVE-2026-28500	onnx: Integrity Verification bypass enables tampering	onnx	9.1
CRITICAL	CVE-2023-34239	Gradio: path traversal + SSRF exposes model files & infra	gradio	9.1
CRITICAL	CVE-2025-55526	n8n-workflows: path traversal in download_workflow endpoint	fastapi	9.1
CRITICAL	CVE-2026-35216	Budibase: Unauthenticated RCE as root via webhook		9.1
CRITICAL	CVE-2024-7774	LangChain.js: path traversal, arbitrary file read/write	langchain.js	9.1
HIGH	CVE-2026-6543	Langflow: RCE exposes API keys and DB credentials	langflow	8.8
HIGH	CVE-2023-46229	LangChain: SSRF in URL loader exposes internal network	langchain	8.8
HIGH	CVE-2024-3571	LangChain: path traversal allows arbitrary file R/W	langchain	8.8
HIGH	CVE-2022-24770	Gradio: CSV formula injection via flagging enables RCE	gradio	8.8
HIGH	CVE-2025-6855	Langchain-Chatchat: path traversal exposes system files	langchain-chatchat	8.8
HIGH	CVE-2026-33713	n8n: SQLi in Data Table node, full DB compromise	n8n	8.8
HIGH	CVE-2024-45848	MindsDB: RCE via eval() injection in ChromaDB INSERT		8.8
HIGH	CVE-2025-61687	Flowise: unrestricted file upload enables persistent RCE	flowise	8.8
HIGH	CVE-2023-6753	MLflow: path traversal exposes arbitrary file read/write	mlflow	8.8
HIGH	CVE-2025-25297	Label Studio: SSRF via S3 endpoint exposes internal services	label-studio	8.6
HIGH	CVE-2026-40158	PraisonAI: AST sandbox bypass enables host RCE	PraisonAI	8.6
HIGH	CVE-2026-26286	sillytavern: SSRF allows internal network access		8.5
HIGH	CVE-2026-2033	mlflow: Path Traversal enables file access	mlflow	8.1
HIGH	CVE-2024-28088	LangChain: path traversal enables RCE and API key theft	langchain	8.1
HIGH	CVE-2024-1560	MLflow: path traversal allows arbitrary directory deletion	mlflow	8.1
HIGH	CVE-2024-4888	litellm: arbitrary file deletion via audio endpoint	litellm	8.1
HIGH	CVE-2025-61784	LLaMA-Factory: SSRF+LFI in multimodal chat API	llamafactory	8.1
HIGH	CVE-2023-6831	MLflow: path traversal allows arbitrary file write	mlflow	8.1
HIGH	CVE-2021-37679	TensorFlow: heap over-read leaks memory via RaggedTensor	tensorflow	7.8
HIGH	CVE-2021-37639	TensorFlow: heap OOB read via tensor restore API	tensorflow	7.8
HIGH	CVE-2021-29608	TensorFlow: heap OOB in RaggedTensorToTensor op	tensorflow	7.8
HIGH	CVE-2023-27506	Intel TF Opt: buffer overflow enables local priv-esc	optimization_for_tensorflow	7.8
HIGH	CVE-2023-4033	MLflow: OS command injection enables local code execution	mlflow	7.8
HIGH	CVE-2026-40150	PraisonAIAgents: SSRF exposes cloud metadata via web_crawl	praisonaiagents	7.7
HIGH	CVE-2025-61917	n8n: Info Disclosure leaks sensitive data	n8n	7.7
HIGH	CVE-2021-43831	Gradio: path traversal exposes host filesystem to users	gradio	7.7
HIGH	GHSA-hr5v-j9h9-xjhg	OpenClaw: sandbox escape via mediaUrl path traversal	openclaw	7.7
HIGH	CVE-2025-6984	EverNoteLoader: XXE exposes host files in LangChain	langchain-community	7.5
HIGH	CVE-2024-1558	MLflow: path traversal enables arbitrary file read	mlflow	7.5
HIGH	CVE-2024-1483	MLflow: path traversal exposes arbitrary server files	mlflow	7.5
HIGH	CVE-2024-9606	LiteLLM: API key leakage in logs exposes credentials	litellm	7.5
HIGH	CVE-2024-11030	GPT Academic: SSRF via unsanitized HotReload plugin	gpt_academic	7.5
HIGH	CVE-2024-36421	Flowise: CORS wildcard enables file read and data theft	flowise	7.5
HIGH	CVE-2026-34070	langchain-core: path traversal exposes host secrets via prompt config	langchain-core	7.5
HIGH	CVE-2024-4941	Gradio: LFI via JSON path key exposes server files	gradio	7.5
HIGH	CVE-2024-1593	MLflow: path traversal via ';' smuggling exposes files	mlflow	7.5
HIGH	CVE-2024-3848	MLflow: URL fragment bypass leaks SSH and cloud keys	mlflow	7.5
HIGH	CVE-2024-34527	SolidUI: OpenAI API key exposed via log print statement		7.5
HIGH	CVE-2023-51449	Gradio: path traversal grants arbitrary file read	gradio	7.5
HIGH	CVE-2024-1594	MLflow: path traversal via URI fragment reads arbitrary files	mlflow	7.5
HIGH	CVE-2024-1728	Gradio: path traversal leaks arbitrary files, potential RCE	gradio	7.5
HIGH	CVE-2026-44209	banks: SSTI enables RCE via unsandboxed Jinja2 templates	banks	7.5
HIGH	CVE-2025-25185	gpt_academic: symlink traversal exposes all server files	gpt_academic	7.5
HIGH	CVE-2025-23042	Gradio: ACL bypass via path case manipulation	gradio	7.5
HIGH	CVE-2026-28414	gradio: security flaw enables exploitation	gradio	7.5
HIGH	CVE-2024-8859	MLflow: path traversal allows arbitrary file read via DBFS	mlflow	7.5
HIGH	CVE-2026-1669	keras: File Control enables path manipulation	keras	7.5
HIGH	CVE-2024-39722	Ollama: path traversal exposes server filesystem	ollama	7.5
HIGH	CVE-2024-39719	Ollama: file existence oracle via api/create errors	ollama	7.5
HIGH	CVE-2024-47868	Gradio: path traversal leaks arbitrary server files	gradio	7.5
HIGH	CVE-2023-30172	MLflow: path traversal exposes arbitrary server files	mlflow	7.5
HIGH	CVE-2023-46315	Infinite Image Browsing: path traversal leaks credentials		7.5
HIGH	CVE-2024-45436	Ollama: ZIP path traversal exposes host filesystem	ollama	7.5
HIGH	CVE-2026-35485	text-generation-webui: unauthenticated path traversal file read	gradio	7.5
HIGH	CVE-2025-3046	LlamaIndex Obsidian: symlink traversal exposes host files	llama-index-readers-obsidian	7.5
HIGH	CVE-2026-26321	OpenClaw: path traversal enables local file exfiltration	openclaw	7.5
HIGH	CVE-2024-36420	Flowise: unauthenticated arbitrary file read via API	flowise	7.5
HIGH	CVE-2025-6985	langchain-text-splitters: XXE enables arbitrary file read	langchain-text-splitters	7.5
HIGH	CVE-2025-6209	llama_index: path traversal allows arbitrary file read	llama-index-core	7.5
HIGH	CVE-2023-6909	MLflow: path traversal exposes arbitrary files (no auth)	mlflow	7.5
HIGH	CVE-2024-2928	MLflow: URI fragment LFI exposes arbitrary files	mlflow	7.5
HIGH	CVE-2025-64104	langgraph-checkpoint-sqlite: SQL Injection exposes database	langgraph-checkpoint-sqlite	7.3
HIGH	CVE-2021-37655	TensorFlow: OOB heap read in ResourceScatterUpdate	tensorflow	7.3
HIGH	CVE-2025-30167	jupyter_core: config hijack enables cross-user code exec		7.3
HIGH	CVE-2026-6596	Langflow: unauthenticated file upload allows RCE	langflow-base	7.3
HIGH	CVE-2025-67644	langgraph-checkpoint-sqlite: SQL Injection exposes database	langgraph-checkpoint-sqlite	7.3
HIGH	CVE-2025-7647	llama-index-core: insecure /tmp dir, model theft risk	llama-index-core	7.3
HIGH	CVE-2026-1777	sagemaker: security flaw enables exploitation	sagemaker	7.2
HIGH	CVE-2021-41210	TensorFlow: heap OOB read in SparseCountSparseOutput	tensorflow	7.1
HIGH	CVE-2024-21799	Intel Extension for Transformers: path traversal privesc		7.1
HIGH	CVE-2026-35397	Jupyter Server: path traversal leaks sibling directories	jupyter-server	7.1
HIGH	CVE-2021-41223	TensorFlow: FusedBatchNorm heap OOB allows data leak/crash	tensorflow	7.1
HIGH	CVE-2021-41211	TensorFlow: heap OOB read in QuantizeV2 shape inference	tensorflow	7.1
HIGH	CVE-2021-37664	TensorFlow: heap OOB read in BoostedTrees ops	tensorflow	7.1
HIGH	GHSA-q56x-g2fj-4rj6	onnx: TOCTOU symlink following enables arbitrary file write	onnx	7.1
HIGH	CVE-2025-10279	mlflow: security flaw enables exploitation	mlflow	7.0
HIGH	CVE-2024-27134	MLflow: local privilege escalation via spark_udf ToCToU	mlflow	7.0
MEDIUM	CVE-2025-53621	DSpace: XXE injection enables server file disclosure		6.9
MEDIUM	CVE-2023-30767	Intel TF Opt: buffer overflow enables local privesc	optimization_for_tensorflow	6.7
MEDIUM	CVE-2025-51481	Dagster: path traversal exposes arbitrary file read via gRPC		6.6
MEDIUM	CVE-2025-44779	Ollama: arbitrary file deletion via /api/pull	ollama	6.6
MEDIUM	CVE-2026-24123	bentoml: Path Traversal enables file access	bentoml	6.5
MEDIUM	CVE-2024-47164	Gradio: path traversal bypasses directory access controls	gradio	6.5
MEDIUM	CVE-2026-3345	Langflow: path traversal allows arbitrary file read	langflow	6.5
MEDIUM	GHSA-mvv8-v4jj-g47j	Directus: cleartext storage exposes AI API keys		6.5
MEDIUM	CVE-2026-3340	IBM Langflow: SSRF enables internal network enumeration	langflow	6.5
MEDIUM	CVE-2023-27562	n8n: path traversal allows arbitrary file read	n8n	6.5
MEDIUM	CVE-2025-68477	langflow: SSRF allows internal network access	langflow	6.5
MEDIUM	CVE-2025-7780	WordPress AI Engine: SSRF leaks files via OpenAI API		6.5
MEDIUM	CVE-2026-43570	OpenClaw: symlink traversal exposes host filesystem	openclaw	6.5
MEDIUM	CVE-2026-25475	OpenClaw: path traversal enables arbitrary file read	openclaw	6.5
MEDIUM	CVE-2024-7037	open-webui: path traversal → arbitrary file write/RCE	open-webui	6.5
MEDIUM	CVE-2025-57749	n8n: symlink traversal enables arbitrary file read/write	n8n	6.5
MEDIUM	CVE-2024-7033	open-webui: path traversal allows file write and RCE	open-webui	6.5
MEDIUM	CVE-2024-51751	Gradio: path traversal exposes arbitrary server files	gradio	6.5
MEDIUM	CVE-2022-36551	Label Studio: SSRF + file read, self-reg bypass	label-studio	6.5
MEDIUM	CVE-2022-35918	Streamlit: path traversal leaks server filesystem	streamlit	6.5
MEDIUM	CVE-2024-48052	Gradio: SSRF in DownloadButton exposes internal resources	gradio	6.5
MEDIUM	CVE-2026-27496	n8n: uninitialized buffer leaks secrets via Task Runner	n8n	6.5
MEDIUM	CVE-2026-39378	nbconvert: path traversal exfiltrates files via HTML export	nbconvert	6.5
MEDIUM	GHSA-766v-q9x3-g744	praisonaiagents: agent context leak + path traversal	praisonaiagents	6.5
MEDIUM	CVE-2025-1979	Ray: Redis password exposed via plaintext logging	ray	6.4
MEDIUM	CVE-2026-7844	Langchain-Chatchat: auth bypass on file service endpoints		6.3
MEDIUM	CVE-2024-31462	stable-diffusion-webui: path traversal file write		6.3
MEDIUM	CVE-2026-40117	PraisonAI: arbitrary file read via unguarded skill tool	praisonaiagents	6.2
MEDIUM	CVE-2025-6210	llama-index Obsidian reader: hardlink path traversal leaks files	llama-index-readers-obsidian	6.2
MEDIUM	CVE-2024-36422	Flowise: reflected XSS enables session hijack and file read	flowise	6.1
MEDIUM	CVE-2025-12695	dspy: security flaw enables exploitation		5.9
MEDIUM	CVE-2026-7020	Ollama: path traversal in tensor model transfer handler	ollama	5.6
MEDIUM	CVE-2026-40610	BentoML: symlink traversal exfiltrates host secrets at build	bentoml	5.5
MEDIUM	CVE-2026-34447	ONNX: symlink traversal reads host files via model loading	onnx	5.5
MEDIUM	GHSA-cqmh-pcgr-q42f	@axonflow/openclaw: credential exposure via insecure file permissions	@axonflow/openclaw	5.5
MEDIUM	CVE-2021-41227	TensorFlow: OOB read in ImmutableConst leaks memory	tensorflow	5.5
MEDIUM	CVE-2025-68697	n8n: security flaw enables exploitation	n8n	5.4
MEDIUM	CVE-2026-34753	vLLM: SSRF in batch API exposes cloud metadata endpoints	vllm	5.4
MEDIUM	CVE-2024-10940	langchain-core: file read via prompt template inputs	langchain-core	5.3
MEDIUM	CVE-2026-40086	rembg: path traversal exposes arbitrary files via HTTP API	rembg	5.3
MEDIUM	CVE-2026-2589	Greenshift: Info Disclosure leaks sensitive data		5.3
MEDIUM	CVE-2024-12217	Gradio: NTFS ADS bypass exposes blocked file paths	gradio	5.3
MEDIUM	CVE-2025-2998	PyTorch: memory corruption in RNN pad_packed_sequence	pytorch	5.3
MEDIUM	CVE-2026-40152	praisonaiagents: glob traversal leaks filesystem metadata	praisonaiagents	5.3
MEDIUM	CVE-2025-2999	PyTorch: memory corruption in RNN sequence unpacking	pytorch	5.3
MEDIUM	CVE-2023-2800	Transformers: temp file race condition allows local DoS	transformers	4.7
MEDIUM	CVE-2026-34446	ONNX: hardlink path traversal leaks sensitive files	onnx	4.7
MEDIUM	CVE-2024-5206	scikit-learn: TfidfVectorizer leaks training data tokens	scikit-learn	4.7
MEDIUM	CVE-2024-6985	lollms: path traversal allows arbitrary directory read	lollms	4.4
MEDIUM	CVE-2020-26268	TensorFlow: ImmutableConst segfault crashes Python interpreter	tensorflow	4.4
MEDIUM	GHSA-wg4g-395p-mqv3	n8n-mcp: credential exposure via HTTP transport logging	n8n-mcp	4.3
MEDIUM	CVE-2025-6854	Langchain-Chatchat: path traversal in file API exposes host FS	langchain-chatchat	4.3
MEDIUM	CVE-2026-6598	Langflow: cleartext auth storage exposes API keys	langflow	4.3
MEDIUM	CVE-2026-28786	Open WebUI: path traversal leaks server filesystem path	open-webui	4.3
LOW	CVE-2024-6971	lollms: path traversal in RAG database functions	lollms	3.4
LOW	CVE-2023-1176	MLflow: path traversal exposes arbitrary local files	mlflow	3.3
LOW	CVE-2026-4993	OpenUI: hard-coded LiteLLM master key credential leak		3.3
LOW	CVE-2026-25211	llama-stack: security flaw enables exploitation		3.2
LOW	CVE-2024-7038	open-webui: filesystem enumeration via admin error messages	open-webui	2.7
LOW	CVE-2026-7847	Langchain-Chatchat: predictable file IDs leak uploaded files	langchain-chatchat	2.6
LOW	CVE-2024-40594	ChatGPT macOS: cleartext conversation storage exposed		2.3
MEDIUM	GHSA-x783-xp3g-mqhp	PraisonAI: SQL injection via table_prefix exposes DB	PraisonAI	—
LOW	GHSA-gj9q-8w99-mp8j	openclaw: TOCTOU race bypasses exec script preflight	openclaw	—
LOW	CVE-2026-44220	ciguard: symlink traversal exposes secrets via MCP agent		—
UNKNOWN	CVE-2025-59532	OpenAI Codex CLI: sandbox escape via model-generated cwd		—
MEDIUM	CVE-2025-12058	Keras: safe_mode bypass enables file read and SSRF	keras	—
MEDIUM	GHSA-5h3g-6xhh-rg6p	openclaw: TOCTOU race allows out-of-sandbox file read	openclaw	—
HIGH	GHSA-9726-w42j-3qjr	picklescan: Path Traversal enables file access	picklescan	—
MEDIUM	GHSA-r48f-3986-4f9c	fickling: Allowlist Bypass evades input filtering	fickling	—
HIGH	CVE-2026-40171	Jupyter Notebook: stored XSS enables full account takeover	@jupyterlab/help-extension	—
UNKNOWN	CVE-2026-41686	@anthropic-ai/sdk: insecure file perms expose agent memory	@anthropic-ai/sdk	—
MEDIUM	GHSA-5cxw-w2xg-2m8h	fickling: Allowlist Bypass evades input filtering	fickling	—
UNKNOWN	CVE-2026-2492	TensorFlow: security flaw enables exploitation		—
MEDIUM	GHSA-f934-5rqf-xx47	OpenClaw: path traversal in memory_get reads arbitrary workspace files	openclaw	—
MEDIUM	GHSA-gfg9-5357-hv4c	openclaw: path traversal exposes host files via audio embed	openclaw	—
CRITICAL	GHSA-5mg7-485q-xm76	litellm: supply chain attack harvests AI API credentials	litellm	—
UNKNOWN	CVE-2026-2285	CrewAI: arbitrary file read via JSON loader tool		—
UNKNOWN	CVE-2026-27489	ONNX: symlink path traversal allows arbitrary file read	onnx	—
MEDIUM	CVE-2026-34452	Anthropic SDK: TOCTOU symlink escape in async memory tool	anthropic	—
MEDIUM	CVE-2026-34450	anthropic-sdk: insecure file perms expose agent memory	anthropic	—
UNKNOWN	CVE-2024-1561	Gradio: path traversal enables arbitrary file read	gradio	—
UNKNOWN	CVE-2026-35029	LiteLLM: auth bypass allows RCE and full takeover	litellm	—
HIGH	GHSA-mr34-9552-qr95	openclaw: path traversal leaks files and NTLM credentials	openclaw	—
MEDIUM	GHSA-9q7v-8mr7-g23p	OpenClaw: SSRF in marketplace fetch hits internal AI infra	openclaw	—
MEDIUM	CVE-2026-34451	anthropic-ai/sdk: memory tool path traversal escape	@anthropic-ai/sdk	—
CRITICAL	CVE-2026-35615	PraisonAI: path traversal exposes full filesystem via agent tools	PraisonAI	—
HIGH	CVE-2025-25295	Label Studio SDK: path traversal leaks server filesystem	label-studio-sdk	—
UNKNOWN	CVE-2024-10707	ChuanhuChatGPT: path traversal exposes server files unauthed	chuanhuchatgpt	—
UNKNOWN	CVE-2024-11037	gpt_academic: path traversal exposes LLM API keys	gpt_academic	—
UNKNOWN	CVE-2024-12065	LLaVA: path traversal allows arbitrary file read		—
MEDIUM	GHSA-2f7j-rp58-mr42	OpenClaw: info disclosure exposes host filesystem paths	openclaw	—
MEDIUM	GHSA-846p-hgpv-vphc	OpenClaw: path traversal → host file exfiltration via QQ Bot	openclaw	—
CRITICAL	GHSA-2679-6mx9-h9xc	Marimo: pre-auth RCE via terminal WebSocket	marimo	—
LOW	GHSA-5fc7-f62m-8983	OpenClaw: local file read bypasses workspace policy	openclaw	—
MEDIUM	GHSA-qqq7-4hxc-x63c	openclaw: local file exfiltration via trusted MEDIA refs	openclaw	—
HIGH	CVE-2025-46417	picklescan: scanner bypass enables DNS data exfiltration	picklescan	—
CRITICAL	CVE-2025-32428	jupyter-remote-desktop-proxy: VNC network exposure	jupyter-remote-desktop-proxy	—