AI Sec Watch

AI researchers report that online creators are using generative AI (artificial intelligence that creates images or videos from text descriptions) to produce fake images and videos of real political figures and entirely fabricated people, sometimes in military or sexualized contexts, to earn money and spread propaganda. These deepfakes (AI-generated fake media of people) are influential in shaping public perception of political figures, even when viewers know the content is not real.

A vulnerability (CVE-2026-4993) was found in wandb OpenUI up to version 1.0 where manipulating the LITELLM_MASTER_KEY argument in the backend/openui/config.py file can expose hard-coded credentials (passwords stored directly in the code). This vulnerability requires local access to exploit and has already been publicly disclosed, though the vendor did not respond to early notification.

Giskard Agents contain a server-side template injection vulnerability in the `ChatWorkflow.chat()` method, which treats user input as Jinja2 template code (a templating language that processes special syntax) instead of plain text. If a developer passes user-provided data directly to this method, an attacker can execute arbitrary code on the server by embedding malicious Jinja2 syntax in their input.

STADLER, a 230-year-old recycling equipment company, embedded ChatGPT (an AI language model that generates human-like text) across its workforce to speed up knowledge work like drafting, summarizing, and translating. The company achieved 30-40% time savings on common tasks, 2.5x faster first drafts, and 85% daily active usage by providing company-wide access, training, and clear guardrails while encouraging bottom-up experimentation.

Langflow, a tool for building AI-powered agents and workflows, had a vulnerability in versions before 1.9.0 where the Agentic Assistant feature would execute Python code generated by an LLM (large language model) on the server. An attacker who could access this feature and control what the model outputs could run arbitrary code (malicious commands) on the server itself.

Nanobot, a personal AI assistant, had a vulnerability in its email module that allowed attackers to send malicious prompts via email, which the bot would automatically process as trusted commands without the owner's knowledge. This is a type of indirect prompt injection (tricking an AI by hiding instructions in its input) that could let attackers run arbitrary system tools through the bot. Version 0.1.6 fixes this flaw.

LibreChat versions 0.8.2-rc1 through 0.8.3-rc1 have a vulnerability where user-created MCP (Model Context Protocol, a system for connecting AI models to external tools) servers can steal OAuth tokens (security credentials used for authentication). An attacker can create a malicious MCP server with special headers that trick LibreChat into substituting sensitive tokens, which are then leaked when victims use tools on that server.

LibreChat (a ChatGPT alternative with extra features) versions 0.8.2-rc2 through 0.8.2-rc3 have a security flaw in the SSE streaming endpoint (a real-time data connection) at `/api/agents/chat/stream/:streamId` that fails to check if a user actually owns a chat stream. This means any logged-in user can guess or obtain another user's stream ID and read their live conversations, including messages and AI responses, without permission.

LibreChat (a ChatGPT alternative with extra features) versions 0.8.2-rc2 through 0.8.2 have a vulnerability that allows attackers to access internal systems through SSRF (server-side request forgery, where an attacker tricks a server into making requests to resources it shouldn't access). Even though a previous SSRF fix was applied, it only checked domain names and didn't verify whether those names actually point to private IP addresses (internal network addresses), leaving the system exposed.