2026-06-30 19:10 UTCIn-site rewrite2 min readUpdated: 2026-06-30 19:28 UTC

Demystifying Security Risks of AI-Powered Applications on Pre-Trained Model Hubs

Researchers present the first systematic security analysis of AI-Apps on platforms like Hugging Face, identifying five threat categories and ten attack vectors. Over 970,000 public AI-Apps were analyzed, revealing thousands with leaked credentials, hundreds vulnerable to code execution, and tens with embedded backdoors.

SourceHacker News AIAuthor: runningmike

-->

[Submitted on 29 Jun 2026]

Title:Your Space is My Zone: Demystifying the Security Risks of AI-Powered Applications on Pre-Trained Model Hubs

View a PDF of the paper titled Your Space is My Zone: Demystifying the Security Risks of AI-Powered Applications on Pre-Trained Model Hubs, by Yacong Gu and 8 other authors

View PDF HTML (experimental)

Abstract:AI-powered Applications (AI-Apps), hosted on platforms such as Hugging Face, are democratizing access to pre-trained models through online inference and fine-tuning services. While lowering AI adoption barriers, these platforms introduce an unexplored attack surface, as AI-Apps are often developed by untrusted parties with weak isolation and misconfigured security settings. In this paper, we present the first systematic security analysis of AI-Apps across three leading platforms. To structure our investigation, we map the AI-App lifecycle to established risk taxonomies (e.g., OWASP), identifying five threat categories and ten attack vectors ranging from generic web flaws to high-impact architectural issues. Our analysis reveals critical failures including broken access control, insecure resource reuse, insufficient input validation, and sensitive data exposure. Notably, we uncover three novel architectural vulnerabilities inherent to platform design and demonstrate how traditional issues (e.g., world-readable logs) are uniquely amplified in this ecosystem. To assess real-world impact, we develop an analysis framework Insightor and apply it to over 970,000 public AI-Apps. Alarmingly, we find thousands of apps leaking credentials, hundreds containing input injection vulnerabilities that allow arbitrary code execution, and tens harboring embedded backdoors -- indicating active exploitation. We have responsibly disclosed all findings to the affected platforms and developers.

Comments: 18 pages, accepted by CCS 2026

Subjects:

Cryptography and Security (cs.CR)

Cite as: arXiv:2606.30373 [cs.CR]

(or arXiv:2606.30373v1 [cs.CR] for this version)

https://doi.org/10.48550/arXiv.2606.30373

arXiv-issued DOI via DataCite

Submission history

From: Yacong Gu [view email] [v1] Mon, 29 Jun 2026 14:34:43 UTC (329 KB)

Full-text links:

Access Paper:

View a PDF of the paper titled Your Space is My Zone: Demystifying the Security Risks of AI-Powered Applications on Pre-Trained Model Hubs, by Yacong Gu and 8 other authors

View PDF

HTML (experimental)

TeX Source

view license

Current browse context:

cs.CR

new | recent | 2026-06

Change to browse by:

References & Citations

NASA ADS

Google Scholar

Semantic Scholar

Data provided by:

Bibliographic Tools

Bibliographic and Citation Tools

Bibliographic Explorer Toggle

Bibliographic Explorer (What is the Explorer?)

Connected Papers Toggle

Connected Papers (What is Connected Papers?)

Litmaps Toggle

Litmaps (What is Litmaps?)

scite.ai Toggle

scite Smart Citations (What are Smart Citations?)

Code, Data, Media

Code, Data and Media Associated with this Article

alphaXiv Toggle

alphaXiv (What is alphaXiv?)

Links to Code Toggle

CatalyzeX Code Finder for Papers (What is CatalyzeX?)

DagsHub Toggle

DagsHub (What is DagsHub?)

GotitPub Toggle

Gotit.pub (What is GotitPub?)

Huggingface Toggle

Hugging Face (What is Huggingface?)

ScienceCast Toggle

ScienceCast (What is ScienceCast?)

Demos

Replicate Toggle

Replicate (What is Replicate?)

Spaces Toggle

Hugging Face Spaces (What is Spaces?)

Spaces Toggle

TXYZ.AI (What is TXYZ.AI?)