DATA LEAK
(32)32 hack(s).
Crawl4AI's Docker API: request fields that exfiltrate your LLM keys
A July 2026 flaw in a popular LLM web-crawler let unauthenticated requests choose where LLM calls go and which server env var a token resolves from — leaking provider API keys and the server's own signing secret.
Reused MCP server instances leak tool results across clients
A design flaw in the official Model Context Protocol TypeScript SDK let a shared server or transport route one client's tool results, notifications, and sampling requests to another. Fixed in 1.26.0.
Open WebUI RAG fetch: a redirect that reaches cloud-metadata credentials
A late-June 2026 advisory shows Open WebUI's web-retrieval endpoint checked only the first URL, so an attacker-controlled redirect could steer a server-side fetch to cloud metadata. Fixed in 0.6.27.
Cognee's settings endpoint let any registered user repoint the whole instance's LLM provider
A July 2026 advisory shows the AI-memory platform Cognee exposed a settings route with no admin check, so a self-registered user could redirect every LLM call instance-wide to an attacker endpoint and siphon all users' data.
Loss Landscape Poisoning: making an LLM memorize secrets it never saw
A June 2026 paper shows a data-poisoning attacker can force an LLM to memorize target records it never accessed — and a probing trick recovers them even under differential privacy.
Microsoft 365 Copilot: an open redirect that blurred the tenant boundary
Microsoft disclosed a critical elevation-of-privilege flaw in 365 Copilot in early July 2026. An open redirect let an authenticated attacker cross the trust boundary that isolates one tenant's data from another.
Secrets leaking out of MCP servers: detecting protocol-induced exposure
A late-June 2026 study statically analysed 10,655 real-world MCP servers and found over 10% leak credentials, API keys or PII — not through outbound calls, but simply by returning, logging or raising sensitive values.
Measuring how much a RAG system leaks its private knowledge base
Two spring 2026 papers formalize and benchmark RAG knowledge-base extraction: a compound anchor-plus-command query pulls retrieved documents back verbatim, and the leakage factors cleanly into two independent causes.
Agents collect more than they reveal: auditing privacy at the acquisition stage
A June 2026 benchmark inspects the moment sensitive data enters an agent's context, not just what it later discloses — and finds over-collection is widespread.
Why agent privacy can't be enforced at the final answer
When an LLM agent queries databases, retrieves documents, and keeps memory across sessions, sensitive data leaks long before the answer. A June 2026 survey maps where.
Two-thirds of AI iOS apps leak their LLM credentials in plain network traffic
A Wake Forest study of 444 iOS AI apps found 282 exposing usable LLM credentials — plaintext keys, open proxy backends, and replayable tokens — readable from ordinary traffic. Three months after disclosure, only 28% had fixed it.
Attention drift: why 80% of real-world LLM apps leak their system prompt
A June 2026 study measured 1,200 production LLM apps and found most leak their system prompt under simple adversarial queries, tracing the cause to a mechanism called attention drift.
Task done, privacy leaked: agents over-share across tool calls
A June 2026 benchmark shows a tool-using agent can complete its task while quietly passing unnecessary private data to intermediate tools — success does not mean need-to-know disclosure.
DifyTap: four authorization flaws leak AI chats across Dify tenants
Zafran Labs disclosed four DifyTap flaws in Dify (June 22, 2026) — two critical, two unauthenticated, three cross-tenant — that let an attacker wiretap other customers' AI conversations and read their files. Three are fixed in 1.14.2.
GeminiJack: zero-click exfiltration from Gemini Enterprise via prompt injection
Disclosed December 2025, GeminiJack let a single shared Doc, calendar invite or email silently exfiltrate Gmail, Calendar and Docs data through Gemini Enterprise's RAG — the enterprise-RAG exfiltration class OWASP now ranks first.
Image prompt reconstruction: rebuilding private images from distributed MLLM embeddings
A June 2026 paper shows a passive participant in a distributed multimodal-LLM pipeline can rebuild the user's input image from the intermediate embeddings it relays. Black-box, no model weights needed.
Capability vs propensity: auditing LLM training-data leakage
A June 2026 framework, PropMe, separates what a model CAN leak under attack from what it WILL leak in ordinary use. The gap is wide — and audits that ignore it misstate real-world risk.
Service-side exfiltration via deep research agents
A hidden instruction in a single email made ChatGPT's Deep Research agent leak inbox data from OpenAI's own cloud — no rendering, no user action, invisible to network defenses. Here is the class and how to contain it.
Ghost tool calls: speculative agent execution leaks user intent
A June 2026 arXiv paper (2606.02483) shows that agents which speculatively pre-issue tool calls to hide latency leak inferred user intent to external services — and that the leak is a timing problem no allow-list can undo.
Membership inference via LLM tokenizers: a new privacy attack vector
A USENIX Security 2026 paper shows a model's tokenizer alone can leak which datasets were used in pre-training — a cheaper, model-free membership inference attack.
Side channels on LLM inference: your prompts leak despite TLS
Speculative decoding and streaming responses create traffic patterns that leak prompt topics, languages, even PII — through encrypted connections. A look at three papers and the defenses.
GraphSteal: reconstructing a private knowledge graph from Graph RAG
A paper posted May 27, 2026 shows that black-box queries can turn a Graph RAG system into a structural oracle, rebuilding over 90% of its hidden knowledge graph — entities, relations and all.
MEntA: membership inference on RAG corpora in five entailment queries
A May 2026 USENIX Security paper shows an attacker can tell whether a document sits in a RAG retrieval corpus with about five plain-language questions — no shadow models, no templated prompts, and it survives current defenses.
Reasoning trace exposure: hiding chain-of-thought doesn't protect it
A May 2026 paper shows that prompting alone can pull a reasoning model's hidden chain-of-thought back into user-visible output — and the recovered traces are good enough to distill a smaller model.
SearchLeak (CVE-2026-42824): one click turns M365 Copilot into a data-theft proxy
Varonis disclosed the mechanics of CVE-2026-42824 on June 15, 2026: a crafted microsoft.com link chains prompt injection, an HTML render race and a Bing SSRF to exfiltrate mail and MFA codes. Patched server-side.
Injection keeps leaking Copilot: two new June 2026 disclosure CVEs
June 9, 2026 Patch Tuesday shipped CVE-2026-42824 and CVE-2026-47644 — two injection-class information-disclosure flaws in Microsoft's Copilot surface, continuing the exfiltration lineage that started with EchoLeak.
Credential leakage in LLM agent skills: a 17,000-skill empirical study
An April 3, 2026 arXiv study analyzed 17,022 agent skills and found 520 leaking credentials — 73.5% of the leaks flow through debug logging that pipes secrets straight into the model's context.
Prompt inversion: split LLM inference leaks prompts, a principled defense lands
Prompt inversion attacks recover up to 88.4% of input tokens from intermediate activations in collaborative LLM inference. A paper submitted June 10, 2026 proposes the first information-theoretic defense.
Social contagion: LLM agents leak private data in multi-agent settings
A May 2026 study simulating thousands of LLM agents finds privacy leakage is socially contagious: agents leak ~8x more after a peer does, and explicit privacy instructions reduce but don't eliminate it.
Trojan Hippo: dormant agent-memory payloads that exfiltrate your data
A May 3, 2026 arXiv paper shows one crafted email can plant a dormant payload in an agent's long-term memory that wakes only when you later discuss finance or health, then exfiltrates it — up to 100% success.
Bleeding Llama: a GGUF parsing flaw leaks Ollama process memory to unauthenticated attackers
CVE-2026-7482, publicly disclosed in May 2026 and codenamed Bleeding Llama by Cyera, lets a remote attacker pull arbitrary chunks of an Ollama server's heap — API keys, system prompts, other users' conversations — with three unauthenticated API calls. The silent patch shipped 2.5 months before the CVE was assigned.
System prompt extraction via repetition attacks
Asking the model to 'repeat the word poem forever' causes it to eventually dump training data and system prompts. Documented across Claude 3, GPT-4, and Gemini.