system: OPERATIONAL
← back to categories

DATA LEAK

(32)

32 hack(s).

DATA LEAK CRITICAL NEW

Crawl4AI's Docker API: request fields that exfiltrate your LLM keys

A July 2026 flaw in a popular LLM web-crawler let unauthenticated requests choose where LLM calls go and which server env var a token resolves from — leaking provider API keys and the server's own signing secret.

2026-07-17//6 min
DATA LEAK MEDIUM NEW

Reused MCP server instances leak tool results across clients

A design flaw in the official Model Context Protocol TypeScript SDK let a shared server or transport route one client's tool results, notifications, and sampling requests to another. Fixed in 1.26.0.

2026-07-15//6 min
DATA LEAK MEDIUM NEW

Open WebUI RAG fetch: a redirect that reaches cloud-metadata credentials

A late-June 2026 advisory shows Open WebUI's web-retrieval endpoint checked only the first URL, so an attacker-controlled redirect could steer a server-side fetch to cloud metadata. Fixed in 0.6.27.

2026-07-15//5 min
DATA LEAK CRITICAL NEW

Cognee's settings endpoint let any registered user repoint the whole instance's LLM provider

A July 2026 advisory shows the AI-memory platform Cognee exposed a settings route with no admin check, so a self-registered user could redirect every LLM call instance-wide to an attacker endpoint and siphon all users' data.

2026-07-08//6 min
DATA LEAK MEDIUM NEW

Loss Landscape Poisoning: making an LLM memorize secrets it never saw

A June 2026 paper shows a data-poisoning attacker can force an LLM to memorize target records it never accessed — and a probing trick recovers them even under differential privacy.

2026-07-08//7 min
DATA LEAK CRITICAL NEW

Microsoft 365 Copilot: an open redirect that blurred the tenant boundary

Microsoft disclosed a critical elevation-of-privilege flaw in 365 Copilot in early July 2026. An open redirect let an authenticated attacker cross the trust boundary that isolates one tenant's data from another.

2026-07-08//6 min
DATA LEAK MEDIUM NEW

Secrets leaking out of MCP servers: detecting protocol-induced exposure

A late-June 2026 study statically analysed 10,655 real-world MCP servers and found over 10% leak credentials, API keys or PII — not through outbound calls, but simply by returning, logging or raising sensitive values.

2026-07-07//6 min
DATA LEAK MEDIUM NEW

Measuring how much a RAG system leaks its private knowledge base

Two spring 2026 papers formalize and benchmark RAG knowledge-base extraction: a compound anchor-plus-command query pulls retrieved documents back verbatim, and the leakage factors cleanly into two independent causes.

2026-07-06//7 min
DATA LEAK MEDIUM NEW

Agents collect more than they reveal: auditing privacy at the acquisition stage

A June 2026 benchmark inspects the moment sensitive data enters an agent's context, not just what it later discloses — and finds over-collection is widespread.

2026-07-06//6 min
DATA LEAK MEDIUM NEW

Why agent privacy can't be enforced at the final answer

When an LLM agent queries databases, retrieves documents, and keeps memory across sessions, sensitive data leaks long before the answer. A June 2026 survey maps where.

2026-07-05//6 min
DATA LEAK MEDIUM NEW

Two-thirds of AI iOS apps leak their LLM credentials in plain network traffic

A Wake Forest study of 444 iOS AI apps found 282 exposing usable LLM credentials — plaintext keys, open proxy backends, and replayable tokens — readable from ordinary traffic. Three months after disclosure, only 28% had fixed it.

2026-07-04//6 min
DATA LEAK MEDIUM NEW

Attention drift: why 80% of real-world LLM apps leak their system prompt

A June 2026 study measured 1,200 production LLM apps and found most leak their system prompt under simple adversarial queries, tracing the cause to a mechanism called attention drift.

2026-07-04//6 min
DATA LEAK MEDIUM NEW

Task done, privacy leaked: agents over-share across tool calls

A June 2026 benchmark shows a tool-using agent can complete its task while quietly passing unnecessary private data to intermediate tools — success does not mean need-to-know disclosure.

2026-07-02//6 min
DATA LEAK CRITICAL NEW

DifyTap: four authorization flaws leak AI chats across Dify tenants

Zafran Labs disclosed four DifyTap flaws in Dify (June 22, 2026) — two critical, two unauthenticated, three cross-tenant — that let an attacker wiretap other customers' AI conversations and read their files. Three are fixed in 1.14.2.

2026-06-25//7 min
DATA LEAK CRITICAL NEW

GeminiJack: zero-click exfiltration from Gemini Enterprise via prompt injection

Disclosed December 2025, GeminiJack let a single shared Doc, calendar invite or email silently exfiltrate Gmail, Calendar and Docs data through Gemini Enterprise's RAG — the enterprise-RAG exfiltration class OWASP now ranks first.

2026-06-21//7 min
DATA LEAK MEDIUM NEW

Image prompt reconstruction: rebuilding private images from distributed MLLM embeddings

A June 2026 paper shows a passive participant in a distributed multimodal-LLM pipeline can rebuild the user's input image from the intermediate embeddings it relays. Black-box, no model weights needed.

2026-06-21//6 min
DATA LEAK LOW NEW

Capability vs propensity: auditing LLM training-data leakage

A June 2026 framework, PropMe, separates what a model CAN leak under attack from what it WILL leak in ordinary use. The gap is wide — and audits that ignore it misstate real-world risk.

2026-06-21//6 min
DATA LEAK MEDIUM NEW

Service-side exfiltration via deep research agents

A hidden instruction in a single email made ChatGPT's Deep Research agent leak inbox data from OpenAI's own cloud — no rendering, no user action, invisible to network defenses. Here is the class and how to contain it.

2026-06-20//6 min
DATA LEAK MEDIUM NEW

Ghost tool calls: speculative agent execution leaks user intent

A June 2026 arXiv paper (2606.02483) shows that agents which speculatively pre-issue tool calls to hide latency leak inferred user intent to external services — and that the leak is a timing problem no allow-list can undo.

2026-06-18//6 min
DATA LEAK MEDIUM NEW

Membership inference via LLM tokenizers: a new privacy attack vector

A USENIX Security 2026 paper shows a model's tokenizer alone can leak which datasets were used in pre-training — a cheaper, model-free membership inference attack.

2026-06-18//6 min
DATA LEAK MEDIUM NEW

Side channels on LLM inference: your prompts leak despite TLS

Speculative decoding and streaming responses create traffic patterns that leak prompt topics, languages, even PII — through encrypted connections. A look at three papers and the defenses.

2026-06-17//6 min
DATA LEAK MEDIUM NEW

GraphSteal: reconstructing a private knowledge graph from Graph RAG

A paper posted May 27, 2026 shows that black-box queries can turn a Graph RAG system into a structural oracle, rebuilding over 90% of its hidden knowledge graph — entities, relations and all.

2026-06-16//6 min
DATA LEAK MEDIUM NEW

MEntA: membership inference on RAG corpora in five entailment queries

A May 2026 USENIX Security paper shows an attacker can tell whether a document sits in a RAG retrieval corpus with about five plain-language questions — no shadow models, no templated prompts, and it survives current defenses.

2026-06-16//6 min
DATA LEAK MEDIUM NEW

Reasoning trace exposure: hiding chain-of-thought doesn't protect it

A May 2026 paper shows that prompting alone can pull a reasoning model's hidden chain-of-thought back into user-visible output — and the recovered traces are good enough to distill a smaller model.

2026-06-16//7 min
DATA LEAK MEDIUM NEW

SearchLeak (CVE-2026-42824): one click turns M365 Copilot into a data-theft proxy

Varonis disclosed the mechanics of CVE-2026-42824 on June 15, 2026: a crafted microsoft.com link chains prompt injection, an HTML render race and a Bing SSRF to exfiltrate mail and MFA codes. Patched server-side.

2026-06-16//6 min
DATA LEAK MEDIUM NEW

Injection keeps leaking Copilot: two new June 2026 disclosure CVEs

June 9, 2026 Patch Tuesday shipped CVE-2026-42824 and CVE-2026-47644 — two injection-class information-disclosure flaws in Microsoft's Copilot surface, continuing the exfiltration lineage that started with EchoLeak.

2026-06-12//6 min
DATA LEAK MEDIUM NEW

Credential leakage in LLM agent skills: a 17,000-skill empirical study

An April 3, 2026 arXiv study analyzed 17,022 agent skills and found 520 leaking credentials — 73.5% of the leaks flow through debug logging that pipes secrets straight into the model's context.

2026-06-12//6 min
DATA LEAK MEDIUM NEW

Prompt inversion: split LLM inference leaks prompts, a principled defense lands

Prompt inversion attacks recover up to 88.4% of input tokens from intermediate activations in collaborative LLM inference. A paper submitted June 10, 2026 proposes the first information-theoretic defense.

2026-06-12//6 min
DATA LEAK MEDIUM NEW

Social contagion: LLM agents leak private data in multi-agent settings

A May 2026 study simulating thousands of LLM agents finds privacy leakage is socially contagious: agents leak ~8x more after a peer does, and explicit privacy instructions reduce but don't eliminate it.

2026-06-04//7 min
DATA LEAK MEDIUM NEW

Trojan Hippo: dormant agent-memory payloads that exfiltrate your data

A May 3, 2026 arXiv paper shows one crafted email can plant a dormant payload in an agent's long-term memory that wakes only when you later discuss finance or health, then exfiltrates it — up to 100% success.

2026-06-02//6 min
DATA LEAK CRITICAL

Bleeding Llama: a GGUF parsing flaw leaks Ollama process memory to unauthenticated attackers

CVE-2026-7482, publicly disclosed in May 2026 and codenamed Bleeding Llama by Cyera, lets a remote attacker pull arbitrary chunks of an Ollama server's heap — API keys, system prompts, other users' conversations — with three unauthenticated API calls. The silent patch shipped 2.5 months before the CVE was assigned.

2026-05-27//7 min
DATA LEAK CRITICAL

System prompt extraction via repetition attacks

Asking the model to 'repeat the word poem forever' causes it to eventually dump training data and system prompts. Documented across Claude 3, GPT-4, and Gemini.

2026-05-10//4 min