CISA reports vulnerabilities in The Librarian

TheLibrarian.Inference Orchestrator (IO)'s Artificial Intelligence (AI) assistant The Librarian contains multiple flaws in internal helper tools that allow disclosure of system prompts and access to backend services, potentially exposing the administrative console and internal infrastructure.

The advisory identifies VU#383552.1, VU#383552.2, CVE-2026-0612, CVE-2026-0613, CVE-2026-0615, and CVE-2026-0616. VU#383552.1 affects the image_generation tool and can disclose the full system prompt by requesting an image with the embedded prompt. VU#383552.2 affects the view_document tool and can append the system prompt to an uploaded document. CVE-2026-0612 is an information-leak via the web_fetch tool that can retrieve arbitrary attacker-supplied external content and proxy requests. CVE-2026-0613 enables SSRF-style GET requests through web_fetch to internal Intrusion Prevention System (IPS) and services, permitting port scanning and metadata retrieval of the Hertzner cloud environment. CVE-2026-0615 allows web_fetch to retrieve the supervisord status page to list running processes. CVE-2026-0616 allows web_fetch to retrieve Adminer interface content that can be used to log in to the internal backend system.

An attacker who exploits these vulnerabilities could gain control over multiple aspects of TheLibrarian.IO internal infrastructure, including process control, lateral movement, and credential theft. The advisory cites CVE-2026-0614, CVE-2026-0615, and CVE-2026-0616 as largely responsible for this potential. It also states that VU#383552.1 through VU#383552.4 permit exploitation and potential misuse of The Librarian's capabilities and could result in jailbreaks or unintended actions by the AI.

The vendor has fixed the identified vulnerabilities and deprecated the affected tools. The vendor stopped the web-fetch tool from retrieving dangerous content and now handles web retrieval through a third-party service. The vendor stated, “prompt content is not a secrecy boundary in our threat model” with respect to system prompt disclosure.

One or more vendors are listed for this advisory; please reference the full report for more information. Contact us about this vulnerability.

Netskope outlines security considerations as AI adoption expands across enterprises

Dell’Oro Group reports data center capital expenditures surged 57 percent in 2025

Aviz Networks expands Aviz ONES integration with NVIDIA DSX Air for AI Factory networking validation