liveACTIVE INCIDENT·Flowise · Weaviate · blood donation data · Germany· disclosure routed Latest disclosure ·Ministry of Health, Nepal·awaiting acknowledgement Corpus state ·36,000 hosts confirmed ·9 open ·11 publicly remediated UTC --:--:--
NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC
Case study · 2026-05-25 CRITICAL Flowise · Weaviate · blood donation data · Germany

A Flowise vector store exposes IT credentials and operational records from a German blood donation organization.

An unauthenticated Weaviate instance at gpt.sergogram.com holds 1,171 objects — internal IT documentation from blutspende.net, a German blood donation organization. Confirmed content: a plaintext server credential (IH-DBSERVER\operator Pw: operator), internal IP ranges, server names, BitLocker PIN conventions, and blood donation unit numbering tables. Flowise runs unauthenticated on both port 3000 and port 443. A second tenant's documents occupy the same instance.

Read the case

Recent papers browse all →
  1. v1·i481 2026-06-07
    LangGraph Studio Population Survey — Local Dev Tool Misdeployed to Public AWS at 90.9%

    LangGraph Studio (github.com/langchain-ai/langgraph) is LangChain's local-development debugger / visualizer for LangGraph applications. It is designed to run on localhost:2024 during development, with desktop auth-type m…

    Survey
  2. v1·i483 2026-06-07
    OpenHands Population Survey — Autonomous Agent Task History + LLM Config Exposed at Scale

    OpenHands (github.com/All-Hands-AI/OpenHands, formerly OpenDevin) is an autonomous coding agent platform with multiple agent types (CodeActAgent, BrowsingAgent, VisualBrowsingAgent, ReadOnlyAgent, LocAgent, DummyAgent) t…

    Survey
  3. v1·i484 2026-06-07
    The Auth-on-Default Landscape of OSS AI/LLM Infrastructure

    Two-day population survey across 13 OSS AI/LLM infrastructure platforms reveals a maintainer-culture-axis split between demo-first defaults (auth-permissive, 70-91% open) and enterprise-customer-first defaults (auth-required, 0-1%). The cohort is not jurisdiction-defined. Insight #76 scope-bounded to platform class; LLM02 Sensitive Information Disclosure is the dominant finding class; the Capitol.ai escalation demonstrates the maintainer-default failing at enterprise-SaaS scale; in-flight attacker /proc/self/environ activity directly observable on OpenHands instances.

    Survey
  4. v1·i479 2026-06-07
    Cat-29 Argo Workflows: :2746 probe sweep, 2026-06-07

    Lane 1A of the 9-item 2026-06-07 plan. Goal: test whether port 2746 hosts an unauthenticated Shodan-dark tier among Argo Workflows operators whose :443 surface is gated by IAP/AzureAD. Method: parallel curl probes (5-sec…

    Case
  5. v1·i480 2026-06-07
    DMARC Funding-Stage Proxy — Full-Registry Sweep N=410

    Date: 2026-06-07. Cohort: full NuClide AI-infrastructure vendor registry (MASTER-port-vendor-registry.csv, 435 vendor names, 410 unique apex domains resolved after dedup and OSS filtering). Probe: dig +short TXT dmarc.<d…

    Case
  6. v1·i482 2026-06-07
    MCP Servers and CrewAI — Negative Results with Methodology Value

    Two attempted same-day surveys produced no actionable findings — but the failure modes are themselves research-program-relevant. Both reveal classes of AI/LLM infrastructure that are not surveyable with the population-Sh…

    Case
How this is done methodology and tools NuClide builds and uses

Every paper is reproducible from public infrastructure data. The probes, the scan deltas, and the schema detectors are open source. Where we built a tool to make a paper possible, the tool ships first.

  • Cross-platform AI/LLM observability fingerprinter, 12 platforms, IP-direct-shadow probe

  • nmap for AI infrastructure

  • Public OSINT catalog of exposure patterns for AI/ML infrastructure

  • Process-injection detection benchmark with Sysmon validation

Every disclosure NuClide has sent, with status. Coordinated where the operator responds; published after embargo where they don't. The disclosure record is the credential, not the names of who took the call.

126 sent
7 acknowledged
3 publicly remediated
114 awaiting response