By NHI Mgmt Group Editorial TeamPublished 2026-05-26Domain: Breaches & IncidentsSource: TruffleHog

TL;DR: ComfyUI saves prompts, workflow state, file paths, and sometimes live API keys into PNG metadata by default, and TruffleHog found 159,752 metadata-bearing images across ten Discord servers, including 681 with verified live keys. That makes casual image sharing a governance problem, not just a content-handling issue.


At a glance

What this is: This analysis shows that ComfyUI PNG exports can embed prompts, file paths, notes, and live secrets directly into shared images.

Why it matters: IAM, NHI, and security teams need to treat AI image outputs as credential-bearing artefacts because the leakage path sits outside normal secrets workflows.

By the numbers:

👉 Read TruffleHog's analysis of API keys leaking in ComfyUI PNG metadata


Context

ComfyUI PNG metadata leakage is a governance problem because the output file carries more than the image itself. In this workflow, prompts, file paths, node values, and sometimes credentials are written into the exported PNG, so the artefact that users share becomes a secret-bearing object.

For identity teams, that means NHI controls are no longer limited to vaults, repos, and CI/CD pipelines. AI content workflows can create a second exposure surface where service credentials, local paths, internal endpoints, and private notes move with the image, even when users think they are only sharing creative output.


Key questions

Q: How should security teams handle secrets embedded in AI-generated images?

A: Treat AI-generated images as sensitive artefacts until proven clean. Scan the exported file for metadata, strip it before sharing, and block workflows that allow API keys or internal paths to persist into the output. The key control is not image moderation, it is preventing credential-bearing state from leaving the controlled environment.

Q: Why do AI image workflows create NHI risk outside code repositories?

A: Because the workflow can serialize credentials, prompts, and environment details into the artefact itself. That means the secret may surface after generation, not during development, so controls limited to repositories and CI/CD miss the exposure. NHI governance has to follow the object that is shared, not only the place where it was created.

Q: What do teams get wrong about bypassing nodes with secrets?

A: They assume a bypassed node is effectively absent. In practice, the node can still leave widget values behind in the saved canvas state, so the secret may remain recoverable even when the node never executed. Teams need to verify persistence, not just runtime behaviour.

Q: How can organisations reduce risk from community-built AI plugins?

A: Set governance rules for third-party nodes that can accept credentials, especially those used for image generation, LLM calls, or local model endpoints. Require a review of how the plugin stores secrets, whether it serializes state into outputs, and whether its data handling meets your NHI policy before approval.


Technical breakdown

Why ComfyUI PNG metadata leaks prompts and secrets

ComfyUI serialises workflow state into PNG metadata so a generated image can later be reopened and reproduced. That design stores the graph, prompts, sampler settings, node text, and other canvas values inside the file. When a custom node accepts an API key through a plain text widget, the key is treated like any other field and gets written into the output alongside non-sensitive values. The problem is not limited to visible content. Hidden blocks can also preserve system prompts, notes, paths, and local endpoints, creating a durable copy of data users did not intend to publish.

Practical implication: treat AI-generated PNGs as data-bearing artefacts and not as inert media files.

Why bypass mode does not remove embedded credentials

Bypass mode can prevent a node from running, but it does not necessarily remove the node’s widget values from the saved canvas state. In ComfyUI, the recipe block may omit the bypassed node, yet the canvas block can still store the credential text because it captures the full workspace as configured. That means operational controls focused on execution are not the same as controls focused on persistence. A credential can be functionally unused and still be recoverable from the exported file, which is the core failure mode here.

Practical implication: validate what is serialized to disk, not just what is executed at runtime.

How shared image files become an NHI exposure path

This pattern matters because NHI risk often appears in places that do not look like identity systems. A PNG shared in a community channel can carry live API keys, Google Drive links, private IPs, and absolute file paths that reveal usernames and internal infrastructure. Once the file leaves the original environment, the secret is no longer protected by the original application boundary. The result is a distribution problem: one artefact can expose multiple identities, systems, and trust relationships at once, long after the workflow completed.

Practical implication: extend secret-detection and egress controls to generated media, not only code and configuration files.


Threat narrative

Attacker objective: The attacker wants reusable credentials and environmental intelligence that can be turned into account abuse, service access, or follow-on intrusion.

  1. Entry occurs when a user pastes a live API key, private note, or sensitive path into a ComfyUI workflow that later gets saved into a PNG file.
  2. Escalation occurs when the exported image is shared in a public or semi-public channel, making the embedded metadata accessible to anyone who downloads it.
  3. Impact occurs when an attacker extracts the secret or internal detail from the PNG and uses it for unauthorized API access, reconnaissance, or downstream abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

ComfyUI PNG metadata leakage is really a secret persistence problem, not a file-format curiosity. The failure is that generated artefacts preserve workflow state by design, so sensitive values follow the image outside the control plane where they were created. That means the identity boundary moves from the application session to the shared file, and traditional secrets hygiene no longer sees the whole exposure surface. Practitioners should treat exported media as part of the credential lifecycle.

Plain-text widget design creates identity debt for community-built AI tools. Official nodes may mask credentials, but the broader plugin ecosystem often uses generic text fields because no dedicated secret input type exists. That pushes developers toward insecure serialization patterns and creates a long tail of NHI exposure in custom nodes. The implication is that governance has to cover extensibility, not only the core platform.

Hidden prompts and notes matter because sensitive context is also an identity asset. The leak is not just API keys, it is file paths, local endpoints, private annotations, and system prompts that reveal how the environment is built and how it is used. Those details help attackers map service dependencies and target the next trust point. Security teams should classify generated artefacts as a source of environmental intelligence.

AI content pipelines need NHI controls that reach beyond source repositories. The same monitoring logic used for code, chat, and tickets should extend to generated assets, where secrets can be embedded after execution rather than before commit. This widens the scope of lifecycle governance across creation, sharing, and retention. Practitioners should re-evaluate where their secret scanning actually begins and ends.

From our research:

  • 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks, according to Guide to the Secret Sprawl Challenge.
  • Our research also found that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which is why detection without revocation leaves material exposure behind.
  • For a wider breach pattern view, see 52 NHI Breaches Analysis for how exposed credentials turn into repeatable access paths.

What this signals

Secret sprawl is expanding into content pipelines. When generated media can carry live credentials, NHI governance can no longer stop at source code, ticketing systems, or chat platforms. Teams should extend secret scanning to every artefact class that can be shared outside the trust boundary, including images, exported diagrams, and AI-generated files.

The practical signal is that workflow design now matters as much as vault design. If a platform serializes state into output by default, the security team needs a policy for sanitisation, retention, and downstream sharing before the first image leaves the environment.

This pattern also sharpens the case for lifecycle controls over ephemeral credentials. If a secret is exposed in an artefact, the relevant question is whether it can be revoked fast enough to matter and whether the surrounding process can detect the leak before reuse.


For practitioners

  • Scan generated media before sharing Add secret detection to AI output review flows so PNGs, images, and other exported artefacts are checked for embedded metadata, API keys, and private paths before publication or handoff.
  • Disable or strip metadata at the export boundary Where the platform allows it, remove metadata during export and re-encode images before they leave controlled environments. If the application cannot reliably suppress metadata, treat sharing as prohibited until a sanitised copy exists.
  • Replace plain-text secret fields in custom nodes Require plugin developers to stop using generic text widgets for credentials and move integrations that handle API keys behind managed secret stores or non-exported configuration patterns.
  • Review community node risk as a governance issue Inventory third-party nodes that accept credentials, then assess whether their saved state can persist secrets into outputs or logs. Prioritise nodes that touch paid APIs, local LLM endpoints, or external storage services.

Key takeaways

  • ComfyUI image exports can persist prompts, paths, notes, and live API keys inside the PNG itself, which turns sharing into a secret-exposure event.
  • The scale is material: TruffleHog found 159,752 images with hidden metadata and 681 with verified live keys across ten Discord servers.
  • The control gap is simple but consequential. Teams need metadata stripping, secret scanning for generated media, and governance for third-party nodes that handle credentials.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centers on credential exposure through generated artefacts and custom nodes.
NIST CSF 2.0PR.AC-4Uncontrolled embedded secrets create excessive access and weak privilege boundaries.
NIST SP 800-53 Rev 5IA-5Embedded API keys need stronger authenticator management than plain-text widget storage allows.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationThe leak path supports credential harvesting and downstream exfiltration from shared artefacts.
NIST Zero Trust (SP 800-207)Shared AI artefacts should not inherit trust just because they originated inside a workflow.

Apply zero trust to exported AI files and validate them before allowing access outside the originating environment.


Key terms

  • Metadata Leakage: Metadata leakage is the unintended exposure of hidden file contents such as prompts, paths, notes, or credentials. In AI image workflows, the exported artefact can retain more operational context than the visible image, creating a durable disclosure channel that survives normal sharing habits.
  • Custom Node: A custom node is a third-party extension that adds functionality to an AI workflow. In ComfyUI, custom nodes often accept parameters through generic text widgets, which becomes risky when those widgets carry API keys or other secrets that are later serialized into output files.
  • Credential Persistence: Credential persistence is the continued availability of a secret after the user believes it has been removed from active use. In generated-content workflows, persistence can occur when bypassed or unused nodes still leave sensitive values in saved state or exported artefacts.
  • Workflow Serialization: Workflow serialization is the process of saving the structure and state of a running workflow into a file so it can be reproduced later. When serialization includes all canvas values, it can capture sensitive inputs, local paths, and other data that should not travel with the output.

What's in the full article

TruffleHog's full post covers the operational detail this post intentionally leaves for the source:

  • The exact extraction method used to decode PNG metadata from large Discord image sets.
  • Examples of live secrets, local endpoints, and filesystem paths recovered from ComfyUI output files.
  • The command-line validation workflow used to confirm whether embedded keys were still live.
  • Practical cleanup guidance for re-encoding images and checking whether metadata has been removed.

👉 TruffleHog's full post includes the scan method, metadata examples, and cleanup steps for shared images.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy, secrets management, or lifecycle governance, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org