88% of arXiv papers leak hidden data in LaTeX sources — and you can't delete it
Contents
TL;DR
What happened RWTH Aachen researchers scanned all 2.7 million arXiv submissions with public source files (1991 to December 2025). 88% contain information that never shows up in the PDF: LaTeX comments, embedded metadata, or leftover files
What leaked 265 API tokens, 171 passwords, 4 private keys, 7,326 papers with GPS coordinates in image metadata, 699 Google Docs still editable by anyone
What to do
- Clean sources before submitting (ALC-NG, arxiv-latex-cleaner)
- If already exposed: revoke keys and tokens, change sharing permissions on linked docs
- Deleting the source after publication is effectively impossible — withdrawn versions stay online
A team at RWTH Aachen University analyzed 2.7 million arXiv submissions and found hidden information in 88% of them — content that never appears in the PDF.
The paper is accepted at IEEE S&P 2026, and Nature picked it up in July.
Headlines frame it as “9 in 10 papers expose private data”, but most of that 88% is comments and timestamps; the genuinely dangerous finds — passwords, private keys — are in the hundreds.
The other half of the story is that once you upload LaTeX source to arXiv, withdrawing the paper does not remove old versions.
The paper covers that mechanism in detail.
arXiv publishes your LaTeX source, not just the PDF
arXiv has required TeX source submission for TeX-authored papers since 2005.
The stated reasons are reproducible compilation and long-term preservation: submitted sources are compiled on arXiv’s side and published alongside the PDF as a permanent, versioned record.
Anyone can download the full source bundle from a paper’s page.
According to the paper, about 93% of arXiv submissions are written in LaTeX, and over 90% are distributed with sources.
Commented-out paragraphs, EXIF metadata in figures, and bundled files never used by the build are therefore all public — they just don’t show in the PDF.
The GPT-4 technical report (2023) famously shipped with commented-out text in its source; this study is essentially that anecdote measured across all of arXiv.
How they scanned 2.7 million submissions
The study comes from Jan Pennekamp, Johannes Lohmöller, and colleagues at RWTH Aachen University.
It was published as arXiv:2604.20927 in April 2026 and accepted at IEEE S&P 2026.
The dataset covers every submission with public sources from 1991 through December 2025 — 2.7 million papers, and 4.3 million versions once revision history is included (1.1 million papers have more than one version).
Detection is not regex matching.
Comments were extracted from tree-sitter syntax trees, and the files actually used by each build were identified with pdflatex’s recorder option.
The authors describe their numbers as a conservative lower bound with near-zero false positives.
Hidden information is classified into three dimensions.
| Dimension | Share of submissions | What it is |
|---|---|---|
| Unrelated content | 75% | LaTeX comments: discarded paragraphs, co-author exchanges, TODOs |
| Embedded metadata | 56% | Image EXIF, author names, timestamps, GPS coordinates |
| Dangling files | 25% | Bundled files never used to build the PDF |
The 88% figure counts submissions with near-unique hidden information in at least one dimension.
Content that recurs across many submissions — LaTeX template boilerplate — is filtered out first.
In raw numbers, the pipeline processed 12 million unused files, 144 million metadata key-value pairs, and 644 million LaTeX comments.
How much of it is actually dangerous
Manually verified credentials:
| Type | Count | Submissions |
|---|---|---|
| API tokens | 265 | 128 |
| Passwords | 171 | 82 |
| Private keys | 4 | 4 |
Against a base of 2.7 million submissions, confirmed credentials turned up in a few hundred papers.
But arXiv sources can be bulk-downloaded by anyone, which puts them in the same “scannable at scale” category as public GitHub repositories.
For location data, 7,326 submissions carry GPS coordinates in image metadata.
2,238 of them contain multiple coordinates, and in 235 the points fall within 50 km of each other.
In 9 out of 10 randomly sampled cases, the coordinates covered both a research facility and a residential area.
With a workplace-home pair available, the authors note, an author can potentially be tracked in both time and space.
For external links, 3,948 submissions reference Google Docs — 1,119 still viewable and 699 still editable by anyone.
Manual checks found confidential content in at least 200 of them.
That includes review comments, cover letters, rebuttals, revision logs, meeting notes with Zoom links, student assignments, and even stock and purchase lists.
18 of them led to raw survey data containing personally identifiable information.
The comments hold plenty that was never meant to be public.
Conversational comments — including co-authors criticizing each other’s writing — appear in 72% of submissions.
101 submissions use citation keys named fuck1 through fuck7, which leak into PDF metadata via the hyperref package.
Nine hand-verified cases hide prompt-injection instructions aimed at AI reviewers.
269 submissions used redaction-style LaTeX packages — authors who meant to hide something and didn’t do it thoroughly.
By field, computer science papers, and especially those tied to top security venues, carry significantly more hidden information.
Of 1,974 security papers matched against dblp, only 70 were completely clean.
Withdrawing a paper doesn’t remove anything
arXiv has no full-deletion mechanism after publication.
Filing a withdrawal only adds a new version with a withdrawal notice; every old version’s PDF and source stay accessible.
Manual takedown by the operators exists, per the paper, only as an undocumented exception.
flowchart TD
A["Author uploads LaTeX source bundle"] --> B["arXiv compiles it"]
B --> C["PDF published"]
B --> D["Source published, versioned"]
D --> E["archive.org mirrors"]
D --> F["Official S3 bulk data"]
D --> G["Third-party downloads"]
H["Author files a withdrawal"] --> I["New version with withdrawal notice"]
I --> J["Old PDF and source remain available"]
Sources are also redistributed in bulk through archive.org mirrors and arXiv’s official S3 dataset, so even if something disappeared from arXiv itself, third-party copies would remain.
This study was built on that bulk data.
The new submission system introduced in April 2025 prompts authors to remove unused files in the root directory, but not in subdirectories; the paper observed no visible change in submission behavior.
arXiv and its authors are not on the same page
The team also did responsible disclosure.
They found that arXiv’s hide-source feature had two inconsistent implementations — one merely hides the download link, the other actually denies access — reported it in October 2025, and arXiv fixed it promptly as a bug.
But when they asked arXiv to help notify authors with exposed credentials, arXiv declined to share email addresses citing author privacy, and did not respond to a request to forward the notifications.
The paper reads this as arXiv’s consistent position: cleaning your source is your own responsibility.
The team collected addresses themselves and directly notified 2,660 authors across 1,141 papers in November 2025.
As of March 2026, they could confirm attempted cleanup in just 18 submissions.
Seven authors uploaded a new version without realizing the old one stays available.
In the follow-up survey (112 responses), only 41% of authors knew arXiv publishes sources at all.
28% knew cleaning tools exist, and 11% use one routinely.
The team also ran a honeypot: a May 2025 submission seeded with decoy URLs in all three dimensions.
URLs in the PDF got visits; URLs present only in the source were never accessed.
At least for now, there is no sign of large-scale scanning aimed at arXiv sources.
What to do before you submit
The paper benchmarks the existing cleaning tools.
The Perl one-liner arXiv has endorsed since 2005 only strips line comments.
Google’s arxiv-latex-cleaner helped in 91% of submissions but broke the PDF in 19% and doesn’t touch metadata.
Its real-world adoption: 538 of 2.7 million submissions, or 0.10%.
The team’s own ALC-NG detects unused files via pdflatex’s recorder, strips metadata with exiftool, removes comments from tree-sitter syntax trees, and finally verifies the output against the original PDF pixel by pixel.
In their evaluation it helped in 98% of submissions and produced a pixel-identical PDF in 87%.
It’s on GitHub.
For anything already submitted, there is no way to delete the source.
Revoking exposed API keys and tokens, and changing permissions on shared links, is currently the only fix that works.