AI Sec Watch

Daytona is a platform for running code created by AI in a secure way. Before version 0.184.0, there was a security flaw where someone could accept organization invitations without verifying their email address, potentially allowing an attacker to join an organization with high-level permissions by using a fake email account.

Daytona is a platform that runs code generated by AI in a controlled environment (sandbox, which is an isolated space). Before version 0.186, it had a path-traversal vulnerability (a weakness where an attacker can use special character sequences like '../' to access files outside intended directories) that could let someone access files outside the intended storage volume directory by manipulating the volume reference sent to the runner.

A vulnerability called 'Cordyceps' exploits weaknesses in CI/CD workflows (automated systems that test and deploy code changes) to inject malicious pull requests (code change proposals) into popular developer tools like Azure Sentinel, Google's AI Agent Development Kit, Apache Doris, Cloudflare Workers SDK, and Python's Black. Attackers can use this method to compromise the software supply chain, potentially affecting many developers who use these tools.

Daytona is a platform that runs code generated by AI safely and efficiently. Before version 0.185.0, it had a cross-tenant authorization flaw (a security problem where access controls between separate organizations failed), which let any logged-in user listen to another organization's real-time notifications and see their events without permission.

Daytona, a tool for running AI-generated code safely, had a security flaw before version 0.185.0 where it didn't verify TLS certificates (the security credentials that prove a website is authentic) when cloning Git repositories (copying code from remote servers). This meant an attacker intercepting the connection could steal Git credentials (login information) and replace the real code with fake, harmful code.

Open WebUI, a self-hosted AI platform that runs offline, had a vulnerability before version 0.9.6 where authenticated users could bypass access controls by manipulating a url_idx parameter (a number used to select which backend server to use). This allowed them to reach Ollama backends (the AI model servers) they shouldn't have access to, including internal or admin-disabled ones, because the system only checked if they could use a model but not which backend server they were routed to.

Open WebUI, a self-hosted AI platform that runs offline, had a security flaw in versions before 0.9.6 where access controls (ACL, rules that restrict who can access what) could be bypassed when a database feature called Milvus multitenancy mode was enabled. An attacker could exploit this by using a specially crafted collection name that wasn't properly cleaned before being used in a database query, allowing them to access data they shouldn't be able to reach.

Immunologist Derya Unutmaz used GPT-5 Pro in late 2025 to solve a three-year-old mystery about how glucose affects T cell development (immune cells that fight disease). His lab had run an experiment in 2022 showing that deoxyglucose (a glucose-like molecule that disrupts a cell's energy production) caused T cells to become inflammatory-response cells at much higher rates than low glucose alone, but they couldn't explain why. GPT-5 Pro analyzed the data and suggested that deoxyglucose interfered with IL-2 protein construction, which normally prevents T cells from becoming inflammatory cells, thereby explaining the unexpected results.

Midjourney, an AI company known for its image generator, announced a new medical imaging product: an experimental ultrasound scanner that would immerse users in water to produce detailed body images similar to MRI (magnetic resonance imaging, a medical scanning technique). Medical imaging experts expressed skepticism about the technology, saying Midjourney has not yet shown sufficient public evidence to support its claims that the system could match or exceed MRI capabilities.