Summary
Wiz Research chained five weaknesses to break tenant isolation on SAP AI Core in research dubbed SAPwned. By submitting a legitimate-looking training job, they configured pods to steal Istio sidecar tokens and bypass network segmentation, then reached unauthenticated internal services including a Grafana Loki instance leaking AWS credentials, an unauthenticated EFS share and an exposed Helm Tiller server. Using Helm's write access they deployed a malicious package granting cluster-admin, gaining cross-tenant access to other customers' pods, secrets, cloud credentials and private AI artifacts. SAP fixed all issues by May 2024 and stated no customer data was compromised.
How to avoid it in your code
- Apply SAP's fixes (patched by May 2024) and keep AI Core platform components updated.
- Enforce strong tenant isolation and network segmentation; block pods from reaching internal services.
- Lock down service tokens, internal logging, shares and Helm with auth and least privilege.
- Treat training-job inputs as untrusted; sandbox workloads and restrict cluster RBAC.
- Rotate exposed cloud credentials and audit cross-tenant access paths.
References
Related vulnerabilities
All AI/LLM →- HIGHAI-CLAUDECODE-SOURCEMAP-2026
On March 31, 2026, Anthropic accidentally shipped the full source of its Claude Code CLI inside a published npm package. A missing .npmignore rule for *.map left a roughly 59.8 MB source map in the tarball, embedding about 512,000 lines of unobfuscated TypeScript across some 1,900 files, including internal prompts, tool definitions and architecture. The root cause was a packaging failure compounded by a bundler bug: Bun continued emitting source maps even when generation was disabled, and nothing stripped or excluded them before publish. Because npm releases are immutable and mirrored instantly, the source was cloned, dissected and re-hosted within hours, and a clean-room reimplementation reached tens of thousands of GitHub stars the same day. It is a textbook source-map disclosure: the sourcesContent field of a .map file carries the original code verbatim, so a single map left in a shipped artifact hands an attacker the entire codebase, comments and all. The same class hit Apple's App Store web front-end in November 2025, where production source maps left enabled let a researcher reconstruct and publish the full client source.
- CRITICALAI-COPILOT-CAMOLEAK-2025
Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.
- HIGHAI-SHADOWLEAK-2025
ShadowLeak is a server-side zero-click indirect prompt-injection attack against ChatGPT's Deep Research agent, discovered by Radware. An attacker emails the victim a message with instructions hidden in the HTML using white-on-white text and tiny fonts; when the user runs Deep Research over their inbox, the agent autonomously follows the hidden instructions and exfiltrates personal and inbox data. The distinguishing trait is that exfiltration occurs entirely server-side within OpenAI's cloud infrastructure, making it invisible to local and enterprise network defenses. The Gmail proof of concept generalizes to any Deep Research connector; OpenAI fixed it before public disclosure with no evidence of in-the-wild exploitation.
- CRITICALAI-TEA-APP-BREACH-2025
The Tea women's-safety app left a Google Firebase Storage bucket publicly accessible with no authentication and directory listing enabled, exposing roughly 72,000 images including about 13,000 verification selfies and government IDs (driver's licenses, passports) and about 59,000 images from posts and messages; a separate exposed datastore leaked over 1 million private user messages. The stolen data was dumped on 4chan, fueling doxxing and harassment. Analysis showed hallmarks of rapidly built apps, including hardcoded API keys and client tokens in the source and an unsecured legacy storage system retained after a 2024 migration.
- MEDIUMAI-GEMINI-WORKSPACE-2025
Marco Figueroa of Mozilla's 0DIN program documented a Gemini for Workspace flaw where an attacker hides instructions inside an email using tags styled with font-size zero or white-on-white text, invisible to the recipient. When the user clicks Summarize this email, Gemini processes the raw HTML and treats the hidden directive as a high-priority instruction, appending an attacker-crafted fake security warning, such as a fake support phone number, that appears to come from Google. No links or attachments are required, enabling credential harvesting and vishing at scale through indirect prompt injection.
- HIGHAI-AGENTSMITH-2025
Noma Security discovered AgentSmith, a flaw in the public LangSmith Prompt Hub where an attacker uploads a malicious AI agent with a pre-configured proxy server baked into its settings. When a victim adopts and runs the shared agent, all traffic including OpenAI API keys, prompts, uploaded documents, images and voice inputs is silently routed through the attacker's proxy, enabling exfiltration of API keys, theft of data and man-in-the-middle manipulation of downstream LLM responses. LangChain confirmed and fixed the issue in November 2024; scope was limited to the public Prompt Hub sharing feature and there was no evidence of in-the-wild exploitation.