If you have ...
- A master public key + a private key that is derived from it
Then there may be a way for an attacker to find the master key.
That only applies to non-hardened private key derived from xpub. If the wallet create hardened public key/address, it's impossible to that, even though you need master private key (xprv / xpriv) if you want to generate new address.