AI Sec Watch

n8n, a workflow automation tool, has a security flaw in its Merge node's SQL mode that allows authenticated users to read files from the server and execute arbitrary code (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the AlaSQL sandbox (a restricted environment meant to safely run SQL code) did not properly block certain dangerous SQL statements.

This is a release update for LlamaIndex v0.14.19, a framework for building AI applications with large language models. The update includes multiple bug fixes across different components, such as correcting how document references are deleted from storage and fixing how database schemas are processed, along with dependency updates and new features like support for additional LLM providers.

Disney's new CEO is facing two major setbacks: OpenAI is shutting down its Sora image-generation program (software that creates images from text descriptions) just after Disney invested $1 billion to use it on Disney Plus, and Epic Games is laying off 1,000 employees while their $1.5 billion metaverse (a shared virtual world) project with Disney has gone quiet. These failures highlight risks in Disney's strategy to use AI and virtual worlds for future growth.

A vulnerability in the @grackle-ai/server package fails to handle errors when parsing JSON configuration data in three locations within its gRPC service (a remote procedure call system for inter-process communication). If the underlying SQLite database becomes corrupted or enters an unexpected state, the code could crash without gracefully reporting an error, and the unvalidated parsed data could theoretically be exploited if the database is compromised.

The @grackle-ai/server software doesn't set the Secure flag on its session cookie (a flag that prevents the cookie from being sent over unencrypted connections). While this is safe for local use, enabling the `--allow-network` option exposes the cookie to interception over insecure connections, allowing attackers to steal session data.

The Grackle AI server was missing three important HTTP security headers (Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) that protect against XSS attacks (where malicious code is injected into a webpage), clickjacking (tricking users into clicking hidden elements), and MIME-sniffing attacks (where browsers misinterpret file types). While current XSS risks are low, the missing headers remove a safety layer that would help prevent future vulnerabilities.

The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.

The Grackle AI server has a security flaw where its WebSocket upgrade handler (a protocol for real-time two-way communication) doesn't check the Origin header, which identifies where a connection request comes from. This allows a malicious webpage to hijack a WebSocket connection if a user is logged in, potentially letting an attacker see real-time session data and task updates through cross-origin WebSocket hijacking (an attack where a different website tricks your browser into connecting to an unintended service).

The @grackle-ai/mcp library has a workspace authorization bypass vulnerability in its knowledge_search and knowledge_get_node tools. These tools are marked as available to scoped agents (agents with limited permissions tied to a specific workspace), but they don't properly check which workspace a user belongs to, allowing a scoped agent in Workspace A to access sensitive data from Workspace B by specifying an arbitrary workspaceId parameter.