Breachwire.riscent
Breachwire / PWA & Startup Breaches

PWA & Startup Breaches

PWACritical (CVSS 9.4 / 9.8)

Langflow: one unauthenticated POST turns an AI workflow builder into a shell

Langflow, an open-source AI agent workflow builder, shipped endpoints that execute attacker-supplied code without authentication — CVE-2025-34291 (CVSS 9.4) and CVE-2026-33017 (CVSS 9.8), the latter weaponized within 20 hours of disclosure to deploy Monero cryptominers on exposed servers.

PWACritical

Chat & Ask AI: 300 million messages readable by anyone with the project URL

The AI app Chat & Ask AI exposed around 300 million messages tied to 25 million users because its Firebase Security Rules were set to public, letting anyone with the project URL read, modify, or delete data without authentication.

PWACritical (CVSS 10.0)

Flowise CustomMCP: a config field piped straight into Function() gives CVSS 10 RCE

Flowise's CustomMCP node passed the untrusted mcpServerConfig field into JavaScript's Function() constructor, giving unauthenticated remote code execution (CVSS 10.0) on instances without API-key protection.

PWAHigh

The Tea app breach: a Firebase database left open, then an API that trusted any user

The women's safety app Tea suffered two breaches rooted in authentication and authorization failures: a Firebase database left open because security policies were never configured, and a second flaw letting any user use their own API key to download other users' chats.

PWACritical (CVSS 9.3)

The vibe-coding RLS epidemic: AI-built apps shipped with no lock on the database

Apps generated by the AI builder Lovable frequently shipped Supabase backends with Row-Level Security missing — so anyone with the public key could read private tables. A scan of 1,645 apps found roughly 170 exposed.

PWAHigh

OmniGPT: 34 million chat lines leaked — with the credentials and keys users pasted in

A threat actor claimed to have breached AI chatbot OmniGPT and leaked around 30,000 user emails and phone numbers plus 34 million lines of chat messages that reportedly contained credentials, API keys, and billing details users had pasted into conversations.

PWAMedium

Ollama in the open: 1,139 LLM servers on Shodan, hundreds answering with no auth

Cisco used Shodan to find 1,139 internet-exposed Ollama instances on port 11434, of which 214 were actively serving live models with no authentication — open to arbitrary prompts, model extraction, and resource abuse.

PWAHigh

The unlocked memory of AI apps: exposed vector databases with no authentication

Vector databases that back RAG applications are frequently deployed with no authentication, letting attackers who reach them exfiltrate embeddings, partially reconstruct source documents via model inversion, and poison retrieval — a documented misconfiguration class.

PWAHigh

sk- in the browser: thousands of OpenAI keys shipped in client code and public repos

Cyble found OpenAI API keys exposed at scale — over 5,000 GitHub repositories and around 3,000 public websites shipping sk- keys in client-side JavaScript or committed source, where automated scanners abuse them within hours or minutes.

PWAHigh

The PWA that installs like a native app — and the push channel that phishes you after

ESET documented phishing that installs banking-app lookalikes as WebAPKs with no untrusted-source warning, and Matrix Push C2 shows how the browser push channel is then abused to deliver spoofed OS-level notifications carrying phishing and malware.

PWAHigh

The .env harvest: 90,000 secrets scraped from exposed files, then cloud extortion

Unit 42 documented an extortion campaign that scanned the internet for publicly exposed .env files, harvested over 90,000 environment variables including cloud, SaaS, and AI keys across 110,000 domains, then used them to break into cloud accounts and extort victims.

PWAHigh

WotNot's open bucket: 346,000 passports and medical records with no password

AI chatbot startup WotNot left a Google Cloud Storage bucket of 346,381 files — including passport scans, medical records, and resumes — accessible to anyone on the internet with no authentication.

PWACritical

Sisense: a hardcoded token in the code repo unlocked terabytes of customer data

Attackers reached Sisense's self-managed GitLab repository, found a hardcoded credential to the company's Amazon S3 buckets, and exfiltrated several terabytes of customer data including access tokens, email passwords, and SSL certificates — prompting a rare CISA warning.

PWAHigh (persistence)

The XSS that won't die: service-worker cache poisoning in PWAs

A single same-origin XSS in a Progressive Web App can be escalated into a persistent person-in-the-middle over cached content — one that outlives the original XSS fix.

PWAHigh

The ChatGPT Redis bug: a cancelled request handed you a stranger's chat history

A race condition in the open-source redis-py client let cancelled requests return another user's cached data, exposing chat titles and, for about 1.2% of ChatGPT Plus subscribers, some billing information.