HSM Key Extraction via Race Condition in payShield Firmware — CVE-2026-21847
A critical vulnerability has been identified in the Thales payShield 10K and payShield 9000 Hardware Security Module firmware used in the eMACH.ai Secure Key Management subsystem. A race condition in the EI/A0 command processing pipeline allows authenticated attackers with network adjacency to extract cryptographic master keys from the HSM secure enclave, potentially enabling decryption of stored PAN data across all tenant environments. Emergency firmware patch required within 7 calendar days. PCI DSS 12.9.2 partner notification issued.
Training Data Validation Bypass in Pipeline SDK
A vulnerability was identified in the Pipeline SDK's data ingestion module that allowed specially crafted training datasets to bypass input validation checks. An attacker with access to the training pipeline could inject malicious data payloads that persisted through preprocessing stages, potentially poisoning downstream model outputs. The issue was caused by insufficient boundary checking in the multipart upload handler when processing nested archive formats. Patched in Pipeline SDK v3.4.2.
Insufficient Rate Limiting on Model Inference API
The Model Inference API lacked adequate per-tenant rate limiting on batch prediction endpoints, allowing authenticated users to submit an unbounded number of concurrent inference requests. This could be exploited for resource exhaustion attacks against shared GPU clusters, degrading performance for other tenants. The vulnerability affected deployments using the default API gateway configuration without custom throttling rules. Resolved by implementing adaptive token-bucket rate limiting in API Gateway v2.1.0.
Cross-Tenant Data Leakage in Multi-Model Serving
A critical isolation flaw was discovered in the multi-model serving infrastructure where inference context from one tenant's model could bleed into another tenant's prediction responses under high-concurrency conditions. The root cause was a shared memory buffer in the model orchestration layer that did not properly enforce tenant boundaries during batch inference scheduling. No evidence of exploitation was found in production logs. Fixed in Model Serving Engine v4.0.1 with full tenant memory isolation.
Privilege Escalation via Model Registry API
An authorization bypass in the Model Registry API allowed authenticated users with read-only permissions to overwrite model artifacts in shared repositories. The flaw existed in the permission evaluation logic for the PUT /models/{id}/versions endpoint, which incorrectly inherited permissions from the parent organization scope rather than the repository scope. An attacker could replace a production model with a backdoored variant without triggering audit events. Resolved in Model Registry v2.8.0 with granular RBAC enforcement at the repository level.
Information Disclosure in Debug Endpoints
Several internal debug endpoints in the Platform API were unintentionally exposed in production deployments when the service was started with default configuration values. These endpoints returned detailed system information including model architecture parameters, internal network topology, and database connection metadata. While authentication was required, any valid API token could access the endpoints regardless of permission scope. Mitigated by removing debug endpoints from production builds and adding explicit scope requirements in Platform API v3.2.1.
Remote Code Execution in Model Deserialization
A critical vulnerability was identified in the model loading pipeline where pickle-based deserialization of untrusted model files could lead to arbitrary code execution on the serving infrastructure. Models uploaded through the partner integration API were not subjected to the same sandboxed deserialization process as models uploaded through the primary dashboard. An attacker with partner API access could upload a specially crafted model file containing embedded Python payloads. Patched in Serving Engine v3.6.0 by enforcing SafeTensors format validation and sandboxed loading for all ingestion paths.
Verbose Error Messages Expose Internal Paths
Under certain error conditions, the Governance Dashboard API returned stack traces containing internal file system paths, Python package versions, and database schema names. This information disclosure required authenticated access and only occurred when malformed requests triggered unhandled exceptions in the report generation module. While not directly exploitable, the leaked information could assist an attacker in crafting more targeted attacks. Fixed by implementing structured error responses in Governance API v1.9.3.
JWT Token Forgery via Weak Signing Key
The authentication service for the Partner Portal used a deterministically generated signing key derived from the deployment timestamp when no explicit key was configured. In environments where the deployment timestamp was predictable or leaked through API headers, an attacker could reconstruct the signing key and forge valid JWT tokens with arbitrary claims. This affected self-hosted deployments that had not configured a custom JWT secret. Resolved in Auth Service v2.0.0 by requiring explicit key configuration and rejecting startup when using default values.
SSRF via Webhook Configuration Endpoint
The webhook configuration API accepted arbitrary URLs without validation, allowing authenticated administrators to configure callbacks pointing to internal network addresses. An attacker with admin access could use this to probe internal services, access cloud metadata endpoints, or exfiltrate data through DNS rebinding. The vulnerability was limited to users with the webhook_admin role. Fixed in Notification Service v1.4.0 by implementing URL allowlisting and blocking RFC 1918 address ranges.
Insecure Direct Object Reference in Audit Logs
The audit log retrieval API used sequential integer identifiers without tenant-scoped authorization checks. An authenticated user could enumerate and retrieve audit log entries belonging to other tenants by incrementing the log entry ID parameter. Exposed data included model deployment events, user login records, and configuration changes. The vulnerability was reported through our responsible disclosure program. Resolved in Audit Service v1.2.0 by replacing sequential IDs with tenant-scoped UUIDs and adding explicit ownership validation.
Denial of Service via Malformed Model Input
The inference API did not enforce input size limits on certain tensor operations, allowing an attacker to submit specially crafted input payloads that caused excessive memory allocation on GPU workers. A single malicious request could consume all available GPU memory, causing out-of-memory errors and service disruption for co-located inference workloads. The attack required a valid API key but no elevated permissions. Mitigated in Inference Engine v1.5.2 by implementing input tensor dimension and size validation before GPU memory allocation.
Authentication Bypass in Early Access API
A logic error in the Early Access API's authentication middleware allowed requests with an empty Authorization header to bypass token validation entirely. The middleware checked for the presence of a Bearer prefix but did not validate that a token followed it. This allowed unauthenticated access to all Early Access API endpoints, including model management and data pipeline configuration. Discovered during an internal security audit prior to general availability. Patched in API Gateway v1.1.0 with strict token format validation.
Cross-Site Scripting in Dashboard Search
The Governance Dashboard's search functionality reflected user input without proper sanitization in the search results page. An attacker could craft a URL containing a malicious JavaScript payload in the search query parameter that would execute in the context of an authenticated user's session when clicked. Exploitation required social engineering to convince a user to visit the crafted link. Fixed in Dashboard v1.0.3 by implementing input sanitization and Content-Security-Policy headers.