{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/383552#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nMultiple vulnerabilities were discovered in The Librarian, an AI-powered personal assistant tool provided by the company [TheLibrarian.io](https://thelibrarian.io/). The Librarian can be used to manage personal email, calendar, documents, and other information through external services, such as Gmail and Google Drive, and also summarize meetings and schedule emails.\r\nThe vulnerabilities are among internal tools that The Librarian uses during its normal functions.\r\nThese tools, `view_document`, `web_fetch`, and `image_generate`, allow an authenticated user \r\n* access to the administrative console \r\n* internal web crawling and port scanning of the internal infrastructure for thelibrarian.io\r\n* disclosure of the internal system prompt for The Librarian\r\n\r\nAll vulnerabilities have since been fixed by thelibrarian.io, and the tools have now been deprecated.\r\n\r\n### Description\r\n\r\nTheLibrarian.io is an AI company that offers the namesake AI-powered personal assistant tool, \"The Librarian\". This assistant can perform a variety of services and can integrate with other external applications. Some of these abilities include calendar management, sending email, and document management. Integratable services include Google products such as Gmail and Google Drive. \r\n\r\nA series of vulnerabilities have been discovered within The Librarian that enable an attacker to access the internal infrastructure of TheLibrarian.io, including the administrator console and cloud environment. They also permit disclosure of the internal system prompt, web crawling, log access, and viewing of internal processes that infrastructure for TheLibrarian.io is running.\r\n\r\nBelow is a list of all the vulnerabilities and respective CVE IDs assigned to them.\r\n\r\n**VU#383552.1** \r\nThe Librarian `image_generation` tool can be used to disclose the full system prompt through requesting an image to be generated with the embedded system prompt.\r\n\r\n**VU#383552.2**\r\nThe Librarian `view_document` tool can be used to disclose the full system prompt through requesting the system prompt be appended to a document that is uploaded to the system.\r\n\r\n**CVE-2026-0612**\r\nThe Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure.\r\n\r\n**CVE-2026-0613**\r\nThe Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning and metadata retrieval of the Hertzner cloud environment that TheLibrarian uses.\r\n\r\n**CVE-2026-0615**\r\nThe Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within The Librarian backend. \r\n\r\n**CVE-2026-0616**\r\nThe Librarian's `web_fetch` tool can be used to retrieve the `Adminer` interface content, which can then be used to log in to the internal backend system of The Librarian.\r\n\r\n### Impact\r\nAn attacker who exploits these vulnerabilities could control a wide variety of aspects of the internal infrastructure for TheLibrarian.io. This could include process control, lateral movement, and credential theft. CVE-2026-0614, CVE-2026-0615, and CVE-2026-0616 are largely responsible for this potential impact. VU#383552.1 to VU#383552.4 allow for exploitation and potential misuse of the capabilities of The Librarian, and could result in jailbreaks or unintended actions by the AI. \r\n\r\n### Solution\r\nThe vendor has stopped the `web-fetch` tool from being able to retrieve dangerous content. Web-retrieval is now handled by a third-party service. The vendor also stated that: \"prompt content is not a secrecy boundary in our threat model\" in regard to system prompt disclosure. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Aaron Portnoy of Mindgard.ai. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/383552"},{"url":"https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure","summary":"https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure"},{"url":"https://thelibrarian.io/","summary":"https://thelibrarian.io/"}],"title":"The Librarian does not secure its interface, allowing for access to internal system data","tracking":{"current_release_date":"2026-03-16T19:53:07+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#383552","initial_release_date":"2026-01-16 12:44:39.865569+00:00","revision_history":[{"date":"2026-03-16T19:53:07+00:00","number":"1.20260316195307.2","summary":"Released on 2026-03-16T19:53:07+00:00"}],"status":"final","version":"1.20260316195307.2"}},"vulnerabilities":[{"title":"The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses.","notes":[{"category":"summary","text":"The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions."}],"cve":"CVE-2026-0613","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#383552"}]},{"title":"TheLibrarian view_document tool can be used to disclose the full system prompt, through requesting the system prompt be appended to a document uploaded to the system.","notes":[{"category":"summary","text":"TheLibrarian view_document tool can be used to disclose the full system prompt, through requesting the system prompt be appended to a document uploaded to the system."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#383552"}]},{"title":"TheLibrarian image_generation tool can be used to disclose the full system prompt, through requesting an image to be generated with the system prompt embedded within.","notes":[{"category":"summary","text":"TheLibrarian image_generation tool can be used to disclose the full system prompt, through requesting an image to be generated with the system prompt embedded within."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#383552"}]},{"title":"The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure.","notes":[{"category":"summary","text":"The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian."}],"cve":"CVE-2026-0612","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#383552"}]},{"title":"TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system.","notes":[{"category":"summary","text":"TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions."}],"cve":"CVE-2026-0616","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#383552"}]},{"title":"The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend.","notes":[{"category":"summary","text":"The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend.  The vendor has fixed the vulnerability in all affected versions."}],"cve":"CVE-2026-0615","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#383552"}]}],"product_tree":{"branches":[]}}