CVE-2026-25211 — LOW (CVSS 3.2) AI Security Vulnerability

CISO Take

Llama Stack exposed pgvector database credentials in plaintext initialization logs, affecting any deployment using pgvector as a vector store backend. Patch to llama-stack >= 0.4.4 immediately and rotate all pgvector passwords — assume any credentials logged prior to patching are compromised. Audit log access controls: if logs reached a SIEM, cloud log aggregator, or shared storage, treat the pgvector database as fully exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-stack	pip	< 0.4.4	`0.4.4`

Do you use llama-stack? You're affected.

Severity & Risk

CVSS 3.1

3.2 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) PATCH: Upgrade llama-stack to >= 0.4.4 immediately. 2) ROTATE: Change pgvector passwords on all affected instances regardless of perceived log exposure. 3) AUDIT LOGS: Search existing log archives for 'pgvector', 'password', 'postgres://', or similar connection string patterns — check SIEM, CloudWatch, Elastic, Splunk. 4) RESTRICT: Apply least-privilege access to application logs; logs containing initialization output should not be readable by application users or broad ops teams. 5) DETECT: Add a log monitoring rule for pgvector/PostgreSQL connection strings appearing in application logs. 6) VERIFY: Confirm no unauthorized connections to the pgvector database in the period between initial deployment and patching by reviewing PostgreSQL pg_stat_activity history or audit logs.

Classification

Data Leakage Data Extraction RAG Framework AML.T0037 - Data from Local System AML.T0055 - Unsecured Credentials AML.T0070 - RAG Poisoning AML.T0085.000 - RAG Databases

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.2 - Information Security in AI System Lifecycle A.9.4 - Logging and monitoring of AI systems

NIST AI RMF

GOVERN 1.6 - Policies and practices address AI risks across the lifecycle MANAGE 2.2 - Mechanisms are in place to deal with AI risk and to recover from incidents MANAGE-2.2 - Risk Response — Treatment of Identified AI Risks

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure LLM08 - Vector and Embedding Weaknesses

Technical Details

NVD Description

Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.

Exploitation Scenario

An attacker with read access to Llama Stack application logs — via a compromised CI/CD pipeline, misconfigured S3 bucket storing logs, over-permissioned CloudWatch log group, or insider access — extracts the pgvector connection string from the initialization log entry. The credential is valid for direct TCP access to the PostgreSQL/pgvector instance. The attacker connects directly to the vector database, bypassing Llama Stack entirely, and issues SQL queries against the vector tables to exfiltrate the entire embedding store and associated metadata (document chunks, source references, user query data if stored). In a second-stage attack, the attacker inserts crafted embeddings that poison RAG retrieval, causing the LLM to return attacker-controlled content to end users without any visible indicators of compromise.

Weaknesses (CWE)

CWE-532 Insertion of Sensitive Information into Log File Primary

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

Timeline

Published

January 30, 2026

Last Modified

January 30, 2026

First Seen

March 24, 2026