AI Threat Alert
ATLAS Landscape
AML.T0085
Data from AI Services
Adversaries may use their access to a victim organization's AI-enabled services to collect proprietary or otherwise sensitive information. As organizations adopt generative AI in centralized services for accessing an organization's data, such as with chat agents which can access retrieval augmented generation (RAG) databases and other data sources via tools, they become increasingly valuable targets for adversaries. AI agents may be configured to have access to tools and data sources that are not directly accessible by users. Adversaries may abuse this to collect data that a regular user wouldn't be able to access directly.
30 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-53767 | Azure OpenAI: SSRF EoP, no auth required (CVSS 10) | azure_openai | 10.0 |
| CRITICAL | CVE-2026-1470 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2024-8309 | LangChain GraphCypher: prompt injection enables DB wipe | langchain | 9.8 |
| CRITICAL | CVE-2026-44551 | open-webui: LDAP auth bypass — full account takeover | open-webui | 9.1 |
| CRITICAL | CVE-2026-21445 | langflow: Missing Auth allows unauthenticated access | langflow | 9.1 |
| HIGH | CVE-2025-6855 | Langchain-Chatchat: path traversal exposes system files | langchain-chatchat | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| HIGH | CVE-2026-26286 | sillytavern: SSRF allows internal network access | 8.5 | |
| HIGH | GHSA-48m6-ch88-55mj | Flowise: Mass Assignment allows cross-tenant org takeover | flowise | 8.1 |
| HIGH | CVE-2024-7043 | Open WebUI: auth bypass exposes all user files | open-webui | 8.1 |
| HIGH | CVE-2026-25750 | langsmith: security flaw enables exploitation | langsmith | 8.1 |
| HIGH | CVE-2026-39889 | PraisonAI: unauth A2U stream leaks all agent activity | praisonai | 7.5 |
| HIGH | CVE-2025-67644 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | CVE-2025-64104 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| MEDIUM | CVE-2024-7044 | Open WebUI: Stored XSS via file upload, session hijack | open-webui | 6.8 |
| MEDIUM | CVE-2026-30886 | AI component: IDOR enables unauthorized data access | 6.5 | |
| MEDIUM | CVE-2026-6542 | Langflow: IDOR exposes cross-tenant flow data and deletion | langflow | 6.5 |
| MEDIUM | CVE-2026-25640 | pydantic-ai: Path Traversal enables file access | pydantic-ai-slim | 5.4 |
| MEDIUM | CVE-2026-44558 | open-webui: permission bypass exposes channels publicly | open-webui | 5.4 |
| MEDIUM | CVE-2026-2589 | Greenshift: Info Disclosure leaks sensitive data | 5.3 | |
| MEDIUM | CVE-2025-68492 | chainlit: IDOR enables unauthorized data access | chainlit | 4.2 |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| MEDIUM | CVE-2026-1163 | lollms: sessions persist after password reset | lollms | 4.1 |
| MEDIUM | GHSA-fwjq-xwfj-gv75 | openclaw: auth bypass exposes agent session visibility | openclaw | — |
| UNKNOWN | CVE-2026-25083 | GROWI: Missing Auth allows unauthorized operations | — | |
| HIGH | CVE-2026-44504 | Aegra: cross-tenant IDOR hijacks user thread data | aegra-api | — |
| LOW | GHSA-v8qf-fr4g-28p2 | OpenClaw: auth scope bypass exposes assistant-media files | openclaw | — |
| UNKNOWN | CVE-2026-42227 | n8n: IDOR leaks cross-project variables via API key | n8n | — |
| MEDIUM | CVE-2025-68131 | — | ||
| MEDIUM | CVE-2026-35657 | openclaw: auth bypass exposes agent session history via HTTP | openclaw | — |