AI Sec Watch

LlamaIndex v0.14.18 is a release that deprecates Python 3.9 (stops supporting an older version of the Python programming language) across multiple packages and includes several bug fixes, such as preserving chat history during incomplete data streaming and preventing division-by-zero errors. The update also adds features like improved text filtering across different database backends and maintains dependencies across 51 directories.

The Bedrock AgentCore Starter Toolkit (a tool for building AI agents on AWS) before version v0.1.13 has a vulnerability where it doesn't properly verify S3 ownership (S3 is AWS's cloud storage service). This missing check could allow an attacker to inject malicious code during the build process (when the software is being compiled), potentially leading to code execution in the running application. The vulnerability only affects users who built the toolkit after September 24, 2025.

OpenAI has agreed to allow the Pentagon to use its AI technology in classified military environments, raising questions about potential applications in the escalating conflict with Iran. The article describes how OpenAI's generative AI (AI that can produce text, images, or other outputs based on patterns) could be used to help analyze potential military targets and prioritize strikes, as well as through a partnership with Anduril to defend against drone attacks, marking the first serious military testing of generative AI for real-time combat decisions.

Encyclopedia Britannica and Merriam-Webster sued OpenAI, claiming it used their copyrighted content to train ChatGPT without permission and that GPT-4 (OpenAI's AI model) now outputs text that closely matches their original material. The publishers allege that OpenAI 'memorized' their content during training, meaning the AI absorbed and can reproduce substantial portions of their work.

A vulnerability (CVE-2026-4270) exists in AWS API MCP Server versions 0.2.14 through 1.3.8, which is software that lets AI assistants interact with AWS services. The bug allows attackers to bypass file access restrictions (the security controls that limit which files an AI can read) and potentially read any file on the system, even when those restrictions are supposed to be enabled.

ONNX's onnx.hub.load() function has a security flaw where the silent=True parameter completely disables warnings and user confirmations when loading models from untrusted repositories (sources not officially verified). This means an attacker could trick an application into silently downloading and running malicious models from their own GitHub repository without the user knowing, potentially allowing theft of sensitive files like SSH keys or cloud credentials.

CVE-2026-26133 is a vulnerability in Microsoft 365 Copilot where an attacker can use AI command injection (tricking the AI system by embedding hidden commands in normal-looking input) to access and disclose information over a network without authorization. The vulnerability has a CVSS score (a 0-10 rating of how severe a security flaw is) of 4.0, indicating moderate severity.

CVE-2026-25083 is a missing authorization vulnerability in GROWI (a collaboration platform) affecting version 7.4.5 and earlier. A logged-in user who knows the identifier of a shared AI assistant can view and modify other users' conversation threads and messages without permission, because the API endpoints don't properly verify whether the user should have access. This is rated as HIGH severity with a CVSS score (a 0-10 scale measuring vulnerability severity) of 8.7.

CVE-2025-15060 is a remote code execution vulnerability in claude-hovercraft that allows attackers to run arbitrary code without needing to log in. The flaw exists in the executeClaudeCode method, which fails to properly validate user input before using it in a system call (a request to run operating system commands), allowing attackers to inject malicious commands.