DATA LEAK
(19)19 hack(s).
DifyTap: four authorization flaws leak AI chats across Dify tenants
Zafran Labs disclosed four DifyTap flaws in Dify (June 22, 2026) — two critical, two unauthenticated, three cross-tenant — that let an attacker wiretap other customers' AI conversations and read their files. Three are fixed in 1.14.2.
Image prompt reconstruction: rebuilding private images from distributed MLLM embeddings
A June 2026 paper shows a passive participant in a distributed multimodal-LLM pipeline can rebuild the user's input image from the intermediate embeddings it relays. Black-box, no model weights needed.
GeminiJack: zero-click exfiltration from Gemini Enterprise via prompt injection
Disclosed December 2025, GeminiJack let a single shared Doc, calendar invite or email silently exfiltrate Gmail, Calendar and Docs data through Gemini Enterprise's RAG — the enterprise-RAG exfiltration class OWASP now ranks first.
Capability vs propensity: auditing LLM training-data leakage
A June 2026 framework, PropMe, separates what a model CAN leak under attack from what it WILL leak in ordinary use. The gap is wide — and audits that ignore it misstate real-world risk.
Service-side exfiltration via deep research agents
A hidden instruction in a single email made ChatGPT's Deep Research agent leak inbox data from OpenAI's own cloud — no rendering, no user action, invisible to network defenses. Here is the class and how to contain it.
Ghost tool calls: speculative agent execution leaks user intent
A June 2026 arXiv paper (2606.02483) shows that agents which speculatively pre-issue tool calls to hide latency leak inferred user intent to external services — and that the leak is a timing problem no allow-list can undo.
Membership inference via LLM tokenizers: a new privacy attack vector
A USENIX Security 2026 paper shows a model's tokenizer alone can leak which datasets were used in pre-training — a cheaper, model-free membership inference attack.
Side channels on LLM inference: your prompts leak despite TLS
Speculative decoding and streaming responses create traffic patterns that leak prompt topics, languages, even PII — through encrypted connections. A look at three papers and the defenses.
Reasoning trace exposure: hiding chain-of-thought doesn't protect it
A May 2026 paper shows that prompting alone can pull a reasoning model's hidden chain-of-thought back into user-visible output — and the recovered traces are good enough to distill a smaller model.
SearchLeak (CVE-2026-42824): one click turns M365 Copilot into a data-theft proxy
Varonis disclosed the mechanics of CVE-2026-42824 on June 15, 2026: a crafted microsoft.com link chains prompt injection, an HTML render race and a Bing SSRF to exfiltrate mail and MFA codes. Patched server-side.
GraphSteal: reconstructing a private knowledge graph from Graph RAG
A paper posted May 27, 2026 shows that black-box queries can turn a Graph RAG system into a structural oracle, rebuilding over 90% of its hidden knowledge graph — entities, relations and all.
MEntA: membership inference on RAG corpora in five entailment queries
A May 2026 USENIX Security paper shows an attacker can tell whether a document sits in a RAG retrieval corpus with about five plain-language questions — no shadow models, no templated prompts, and it survives current defenses.
Credential leakage in LLM agent skills: a 17,000-skill empirical study
An April 3, 2026 arXiv study analyzed 17,022 agent skills and found 520 leaking credentials — 73.5% of the leaks flow through debug logging that pipes secrets straight into the model's context.
Prompt inversion: split LLM inference leaks prompts, a principled defense lands
Prompt inversion attacks recover up to 88.4% of input tokens from intermediate activations in collaborative LLM inference. A paper submitted June 10, 2026 proposes the first information-theoretic defense.
Injection keeps leaking Copilot: two new June 2026 disclosure CVEs
June 9, 2026 Patch Tuesday shipped CVE-2026-42824 and CVE-2026-47644 — two injection-class information-disclosure flaws in Microsoft's Copilot surface, continuing the exfiltration lineage that started with EchoLeak.
Social contagion: LLM agents leak private data in multi-agent settings
A May 2026 study simulating thousands of LLM agents finds privacy leakage is socially contagious: agents leak ~8x more after a peer does, and explicit privacy instructions reduce but don't eliminate it.
Trojan Hippo: dormant agent-memory payloads that exfiltrate your data
A May 3, 2026 arXiv paper shows one crafted email can plant a dormant payload in an agent's long-term memory that wakes only when you later discuss finance or health, then exfiltrates it — up to 100% success.
Bleeding Llama: a GGUF parsing flaw leaks Ollama process memory to unauthenticated attackers
CVE-2026-7482, publicly disclosed in May 2026 and codenamed Bleeding Llama by Cyera, lets a remote attacker pull arbitrary chunks of an Ollama server's heap — API keys, system prompts, other users' conversations — with three unauthenticated API calls. The silent patch shipped 2.5 months before the CVE was assigned.
System prompt extraction via repetition attacks
Asking the model to 'repeat the word poem forever' causes it to eventually dump training data and system prompts. Documented across Claude 3, GPT-4, and Gemini.