惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
K
Kaspersky official blog
A
Arctic Wolf
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 热门话题
N
News | PayPal Newsroom
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
B
Blog RSS Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
W
WeLiveSecurity
Know Your Adversary
Know Your Adversary
博客园 - Franky
T
Tenable Blog
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Help Net Security
Help Net Security
WordPress大学
WordPress大学
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
D
Darknet – Hacking Tools, Hacker News & Cyber Security
H
Heimdal Security Blog
TaoSecurity Blog
TaoSecurity Blog
S
Security Affairs
J
Java Code Geeks
小众软件
小众软件
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Apple Machine Learning Research
Apple Machine Learning Research
NISL@THU
NISL@THU
O
OpenAI News
The Cloudflare Blog
月光博客
月光博客
Google Online Security Blog
Google Online Security Blog
V
V2EX
罗磊的独立博客
美团技术团队
博客园 - 三生石上(FineUI控件)
Security Latest
Security Latest
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
大猫的无限游戏
大猫的无限游戏

Blog | Orca Security

Langflow RCE Actively Exploited to Deploy Cryptominers on AI Infrastructure Orca MCP: When Text Stops Scaling Kubernetes Compliance Tools: Automating CIS Benchmarks Risk-Based Vulnerability Management for the Cloud: A 2026 Guide Private Cloud Security: Top Risks and Best Practices (2026) What Is Generative AI in Cybersecurity? Best Vulnerability Management Tools and Software in 2026 2026 State of Application Security Report Recap: What the Data Says and What Security Teams Should Do About It AI Security for Sensitive Data: Best Practices and Guidelines Best AI Code Security Solutions 2026: How to Secure AI-Generated Code From Platform to Program: How to Ensure Your Cloud Security Solution Delivers Best AI Cybersecurity Providers 2026: A Buyer's Guide to AI-Powered Security Platforms Join Orca Security at Black Hat USA 2026 CNAPP Tools That Reduce Security Tool Sprawl: CNAPP vs. Dedicated Solutions What Is Container Runtime Security? A Practical Guide 2026 What Is Application Security Testing? Tools and Types What Is Managed Cloud Security? A Practical Guide What Is SaaS Security Posture Management? SSPM Guide Top 10 Cloud Security Standards for Compliance What is the MIT License? Compliance and Comparisons AI Agents vs. Agentless Security vs. Agent-based Security 144 Mastra npm Packages Compromised via Supply Chain Attack The Complete Guide to LLM Security: Risks, Best Practices, and Solutions Cloud Security LIVE 2026: Top 10 Takeaways Practitioners Can Use Now Cloud Security LIVE 2026: Top 10 Takeaways CISOs Can Use Now (and What to Do Next) How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers All Running Vulnerable Code What to Look for in Container Security Tools Cloud Application Security Best Practices for DevSecOps Cloud Security Tools: 10 Types Explained for Teams What Is NIST CSF? Framework 2.0 Explained 7 Open Source Incident Response Tools by Category Critical Langflow Path Traversal Flaw Exploited for Unauthenticated RCE Critical PhpSpreadsheet RCE Patch Bypass Puts Millions at Risk Critical Splunk Enterprise Vulnerabilities Allow Unauthenticated File Operations and Remote Code Execution 16 Best Open Source Application Security Tools 2026 What Is Containerization? Security and Best Practices 8 Container Security Best Practices for 2026 Close the Cloud Identity Gap with Orca and AWS IAM Access Analyzer The 5-Step Context-Aware Cloud Vulnerability Prioritization Framework Critical Jupyter Enterprise Gateway Vulnerabilities Enable Full Kubernetes Cluster Takeover AI Security Best Practices for Regulated Industries Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks SAST vs SCA: Key Differences for AppSec Teams What Is Cloud Security Architecture? Principles, Layers, and Frameworks What Is ASPM? A Guide to Application Security Posture Management What Is SaaS Security? A Practical Guide 2026 What Is a Man-in-the-Middle Attack? A Cloud Security Guide What Is Open Policy Agent? Best Practices and Use Cases 11 Best Open-Source DevSecOps Tools for 2026 How to Secure AI Workloads in Multi-Cloud Environments: A Complete Framework Critical WordPress Plugin Vulnerability Allows Unauthenticated Admin Takeover on 150K Sites What Is Kubernetes as a Service? KaaS Explained Critical Netlogon RCE Flaw Actively Exploited Against Windows Domain Controllers Your FedRAMP Continuous Monitoring Strategy Has a Gap. We Built Something to Fix It. How to Simplify Multi-Cloud Compliance Reporting: The 2026 Checklist Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm Critical RCE in LiquidJS Lets Attackers Execute Arbitrary Commands on Unpatched Hosts Securing Shadow AI: How to Detect Unapproved LLMs in Your Cloud Data Security Posture Management (DSPM) for AI Gitea Container Registry Exposes Private Images to Unauthenticated Attackers Critical Unauthenticated RCE in Kopia Backup via SSH ProxyCommand Injection Best Palo Alto Networks Cortex (Prisma Cloud) Alternatives in 2026 7 Enterprise AI Security Risks to Manage Critical Pre-Auth RCE in ChromaDB Threatens AI Infrastructure Critical Coder Signature Bypass Exposes Developer Keys and Tokens New “PoolSlip” NGINX Exploit Revives Unpatched Remote Code Execution Risk Critical Drupal SQL Injection Exposes PostgreSQL-Backed Sites to Remote Code Execution AI Security Tools: How to Evaluate Them Across Every ML Attack Phase Massive npm Supply Chain Attack Compromises AntV Ecosystem, Steals CI/CD Secrets at Scale NIST AI Risk Management Framework (AI RMF) Explained: What It Is and How Organizations Use It GenAI Risks in Cloud Environments: What Security Teams Are Actually Missing in 2026 What Is Multi-Cloud Security? What Is Cloud Detection and Response (CDR)? Linux kernel vulnerability enables local theft of SSH host keys and /etc/shadow 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated DoS and Potential RCE Announcing Cloud Security Agent Skills for Orca’s MCP Server TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack Dirty Frag: Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root Critical Apache HTTP Server HTTP/2 Vulnerability Could Enable Remote Code Execution Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace What Is an Incident Response Plan? What Is Cloud Data Security? Risks, Challenges, and 12 Best Practices Remote Code Execution in GitHub Enterprise Server via Git Push Injection (CVE-2026-3854) Linux Kernel Bug (Copy.Fail) Enables Local Privilege Escalation to Root (CVE-2026-31431) Xinference PyPI package compromise leads to full environment takeover What is Application Security? When AI Accelerates the Offense, Coverage Gaps Become Catastrophic Orca Security Recognized in the 2026 TAG Enterprise AI Security Handbook Navigating Cloud Security in 2026: Join Cloud Security LIVE Anthropic’s Project Glasswing Is a Positive Step Toward Cleaner, Safer Production Kyverno SSRF: Breaking Kubernetes Namespace Isolation (CVE-2026-4789) Streamline Compliance Reporting with Orca and Drata’s Integrated Vulnerability Management CVE-2026-23226: How a Missing Lock in ksmbd’s Channel List Exposes Your Linux SMB3 Server 2026 State of AppSec: When Development Velocity Outpaces Security AI Is Entering Your Infrastructure. Now what? Orca Security Featured in SACR’s 2026 Unified Agentic Defense Platforms Report Supply Chain Attack on Axios Delivers Cross-Platform RAT via Compromised npm Account Credential‑Stealing Malware in LiteLLM Supply Chain Attack Mission Accomplished: Orchestrate Your Remediation Strategy With Orca Missions The Orca Approach to Runtime AI Security
The AI Data You Forgot to Lock: How Exposed Vector Databases Put Organizations at Risk
Roi Nisimi · 2026-05-19 · via Blog | Orca Security

Table of contents

  • Executive Summary: PII, Medical Records, and Credentials at Risk
  • The Rise of Vector Databases and Their Blind Spots
  • The Root Causes of Exposure
  • From Data Exposure to Lateral Movement
  • A Pattern We’ve Seen Before
  • 6 Steps to Secure Your AI Data
  • Summary
  • How Can Orca Help?
  • Learn more

The AI revolution has brought a new class of infrastructure into the mainstream: vector databases. Tools like Weaviate, Milvus, and ChromaDB have become essential building blocks for AI-powered applications from retrieval-augmented generation (RAG) pipelines to semantic search and recommendation engines. But as organizations race to adopt these technologies, a familiar pattern is emerging: security is an afterthought.

The Orca Research team conducted an extensive investigation into publicly exposed vector database instances and found a troubling landscape. Multiple exposed instances across several vector database platforms were discovered. The data inside wasn’t just “embeddings”, it included personally identifiable information (PII), credentials, medical records, biometric data, and internal system secrets. In one case, we were able to use secrets found inside a vector database to move laterally and access customer accounts on an entirely separate platform.

This is not a theoretical risk. It’s happening now.

Executive Summary: PII, Medical Records, and Credentials at Risk

Our research uncovered multiple publicly accessible vector database instances that required no authentication to access. These databases, deployed across major cloud providers and self-hosted environments, contained highly sensitive data including:

  • Personal identifiable information: real names, phone numbers, email addresses, national ID numbers, and home addresses
  • Corporate credentials: cloud access keys, API tokens, and plaintext passwords
  • Medical records: patient data including diagnoses, health insurance details, and photographs
  • Biometric data: facial recognition records tied to employee profiles
  • Internal business data: support tickets, executive information, and internal system configurations

In one notable case, we discovered an exposed vector database backing a support ticket system. The indexed tickets contained plaintext credentials for customer SaaS accounts. Using those credentials, we were able to authenticate to external platforms, demonstrating how a single unsecured vector database can serve as a pivot point for lateral movement far beyond the original target.

Terminal window showing a curl command querying a GraphQL API to retrieve ticket data, displaying a conversation log with highlighted plaintext credentials.
Collecting plaintext credentials from a support ticket conversation
Terminal output showing a GraphQL API curl request piped to a Python script that extracts and lists redacted personal identifiable information (PII).
Collecting customers’ full names, phone numbers, and company names

All findings were responsibly disclosed to the affected organizations and relevant national CERTs.

The Rise of Vector Databases and Their Blind Spots

Vector databases are purpose-built to store and query high-dimensional embeddings, the numerical representations that power modern AI applications. When a company builds a chatbot that answers questions about internal documents, those documents are typically chunked, embedded, and stored in a vector database. When a platform implements semantic search, the search index often lives in a vector database.

The problem is that these databases don’t just store abstract vectors. To be useful, they store the original content alongside the embeddings, including full text passages, metadata fields, and often structured data like names, emails, and credentials. The assumption that “it’s just embeddings” creates a dangerous blind spot.

The Root Causes of Exposure

Several factors are converging to create this exposure pattern:

Local-first design meets production deployment. Many vector databases were designed for rapid prototyping and local development. They ship with authentication disabled by default, expecting developers to enable it before going to production. Too often, that step is skipped.

A new developer profile. The AI boom has brought a wave of developers who are experts in machine learning and natural language processing but may have less experience with infrastructure security. Building a RAG pipeline is straightforward, hardening the underlying database is a separate skill set that doesn’t always come with the territory.

Weak security defaults. Unlike mature relational database ecosystems where authentication is typically enforced out of the box, many vector databases treat security as optional configuration. A single misconfigured deployment can expose everything indexed inside it.

Direct HTTP exposure. Most vector databases expose simple REST or gRPC APIs. When these services are deployed on cloud instances with public IPs and no firewall rules, they become trivially discoverable and accessible to anyone on the internet.

# Weaviate — check if the instance is open and list all classes
curl http://<host>:8080/v1/schema

# Milvus — list all collections via the HTTP API
curl http://<host>:19530/v2/vectordb/collections/list

# ChromaDB — enumerate all collections
curl http://<host>:8000/api/v1/collections

From Data Exposure to Lateral Movement

What makes vector database exposure particularly dangerous is the richness of the data they contain. Traditional database leaks expose structured records. Vector databases, by contrast, often index entire documents, conversations, and knowledge bases, the kind of unstructured data that tends to contain credentials, internal URLs, and operational secrets embedded in context.

During our research, we encountered an instance that indexed a company’s support ticket system. Among the tickets were plaintext credentials that customers had shared with the support team for troubleshooting purposes. These credentials were valid, and they granted access to customer SaaS accounts on external platforms.

This illustrates a critical point: a compromised vector database is not just a data leak, it can be a foothold for further attacks. The unstructured, document-oriented nature of the data means secrets can hide in unexpected places, embedded within paragraphs of text that were never intended to be stored in a searchable, internet-facing system.

# Semantic search for credentials within an exposed Weaviate instance
curl -X POST http://<host>:8080/v1/graphql \
  -H "Content-Type: application/json" \
  -d '{"query": "{Get{<ClassName>(nearText:{concepts:[\"password\",\"credentials\",\"access key\"]},limit:10){<properties>}}}"}'

A Pattern We’ve Seen Before

This is not the first time the security community has watched a new database technology go through growing pains. The MongoDB exposure wave of 2017, where tens of thousands of instances were found publicly accessible, followed a nearly identical pattern: default configurations with no authentication, rapid adoption by developers unfamiliar with operational security, and mass exposure discovered by researchers and attackers alike.

Elasticsearch and Redis went through similar cycles. In each case, the community eventually responded with better defaults, improved documentation, and security tooling, but not before significant damage was done.

Vector databases are following the same trajectory, compounded by the speed and enthusiasm of the current AI adoption wave. The ecosystem is younger, security awareness is lower, and the “experiment-first” culture of AI development means many deployments were never intended to be permanent, until they were.

6 Steps to Secure Your AI Data

If your organization uses vector databases, take the following steps to reduce your exposure:

1. Enable authentication. Every major vector database supports authentication. Enable it. This is the single most impactful step you can take. Review the documentation for your specific platform. Weaviate, Milvus, ChromaDB, Qdrant, and others all provide auth mechanisms.

2. Never expose database ports to the public internet. Vector databases should sit behind a private network, VPN, or reverse proxy with authentication. There is almost never a legitimate reason for a vector database to be directly accessible from the internet.

3. Audit what you’re indexing. Understand what data flows into your vector database. If you’re indexing support tickets, internal documents, or customer communications, you may be inadvertently storing credentials, PII, or other sensitive data. Implement pre-processing pipelines that strip or redact sensitive content before indexing.

4. Use network-level controls. Security groups, firewall rules, and network policies should restrict access to vector database ports to only the application servers that need them.

5. Monitor for exposure. Use cloud security posture management (CSPM) tools to continuously monitor for publicly accessible database instances. Orca Security’s agentless platform can detect exposed vector databases and flag sensitive data at risk — without requiring any agents or network changes.

6. Treat vector databases like any other datastore. Apply the same security standards you would to a PostgreSQL or MySQL database: authentication, encryption in transit, network isolation, access logging, and regular security reviews.

Summary

Vector databases are a critical part of the modern AI stack, but their rapid adoption has outpaced the security practices needed to protect them. Our research found multiple exposed instances across several platforms and geographies, containing everything from personal data and medical records to cloud credentials and biometric information. In one case, secrets found in a vector database enabled lateral movement into customer accounts on separate platforms.

This is a solvable problem. The root cause is not a fundamental flaw in vector database technology, it’s an ecosystem maturity gap. Organizations that enforce authentication, restrict network access, and audit their indexed data can eliminate this attack surface entirely.

The AI revolution shouldn’t mean a security regression. Lock your vector databases the same way you lock everything else, before someone else finds them first.

How Can Orca Help?

The Orca Cloud Security Platform helps organizations identify, secure, and continuously monitor exposed vector databases and the sensitive data they contain across modern AI environments. With agentless visibility across cloud infrastructure, Orca automatically detects publicly accessible vector databases, misconfigured network controls, and missing authentication, giving teams immediate insight into where AI data stores may be unintentionally exposed. At the same time, Orca analyzes the data connected to these systems to uncover embedded PII, credentials, API keys, and other secrets, helping organizations understand the true impact of exposure beyond just the infrastructure itself.

By correlating data exposure with identities, permissions, and access paths, Orca highlights where attackers could use leaked credentials to move laterally or access downstream systems. It continuously monitors for risky configurations and prioritizes findings based on data sensitivity, internet exposure, and potential blast radius, enabling security teams to focus on the issues most likely to lead to data exfiltration or broader compromise and remediate them quickly.

Orca Security platform alert displaying a 7.3 risk score for US Social Security Numbers found on a public-facing database asset.
Orca Alert: Discovering sensitive information inside databases

Learn more

Interested in learning more about the Orca Platform? Schedule a personalized 1:1 demo.