AI Sec Watch

The `ApprovalInbox` HTTP server in network-ai (version 5.11.0 and earlier) has no authentication and allows cross-origin requests (CORS, a mechanism that controls which websites can access a server). This means anyone who can reach the server—whether through the same computer, a website you visit in your browser, or a network connection—can view pending approvals and approve them without permission, bypassing the human-in-the-loop control (a safety check requiring a person to review high-risk actions before they run). This defeats protections meant to prevent the AI from executing dangerous operations like shell commands without consent.

Network-AI's AgentRuntime sandbox uses a flawed string-prefix check to keep file access within a configured base directory, but the check is too broad. A sandbox at `/tmp/network-ai-sandbox` also matches the sibling directory `/tmp/network-ai-sandbox_evil`, allowing agents to read or list files outside the intended sandbox boundary. This vulnerability affects Network-AI version 5.12.1 and has a medium severity CVSS score (a 0-10 rating of how severe a vulnerability is).

Langflow's file-reading components (like Read File and Docling) have a vulnerability where attackers can use symlinks (shortcuts that point to other files) hidden inside compressed files to read any file on the system, potentially stealing secret keys and executing arbitrary code. An attacker could steal the JWT token secret (used for authentication), forge login tokens for any user, and then run malicious code through the Python Interpreter node.

An attacker can crash Langflow (an AI application framework) by sending a specially crafted file upload request with an extremely long multipart form boundary (a delimiter used in form data) without needing to log in, making the server unusable for all users indefinitely. The vulnerability exists because the server tries to process the malformed data before checking if the user is authenticated.

Langflow's logout button fails to properly clear user sessions, leaving authentication tokens (access_token_lf and refresh_token_lf) in the browser's storage, so the previous user remains logged in until someone else logs in explicitly. This happens because the logout endpoint doesn't delete cookies with the same security settings they were created with, and the frontend doesn't clear stored tokens either. On shared computers, users may incorrectly think they've logged out when they haven't.

Langflow versions before 1.9.1 had an IDOR vulnerability (insecure direct object reference, where attackers can access resources by guessing or knowing their ID) in the `/api/v1/responses` endpoint that allowed any authenticated user to execute another user's workflow by specifying that user's flow ID, potentially exposing sensitive data and wasting resources. The bug existed because the code queried the database directly using a flow's unique identifier without checking if the requesting user actually owned that flow.

Microsoft researchers discovered AutoJack, an exploit that lets a malicious web page hijack an AI browsing agent to run commands on the host computer through weaknesses in AutoGen Studio's MCP (Model Context Protocol, a system for agents to call external tools) WebSocket handler. The attack requires no credentials or user interaction beyond the agent loading the attacker's page, and affects only users who installed pre-release versions 0.4.3.dev1 or 0.4.3.dev2 from PyPI, not the stable release.

The agentic-flow tool versions 2.0.13 and earlier had a critical vulnerability where user input was directly inserted into shell commands without sanitization, allowing attackers to inject arbitrary OS commands (CWE-78, a type of command injection). This affected multiple MCP server tools, particularly those handling agent and database parameters, and could be exploited through untrusted content processed by the AI agent.

Ouroboros-ai had an incomplete security fix where a malicious project's `.env` file (configuration file automatically loaded when code imports the package) could still enable remote code execution (RCE, where an attacker runs commands on your system) through missing environment variable names in the denylist (block list). Additionally, the software was auto-loading configuration files from the current working directory without checking if they were trustworthy, allowing attackers to execute arbitrary commands just by running the tool inside a malicious repository.