AI Sec Watch

LangGraph versions before 4.0.0 have a remote code execution vulnerability in their caching layer when applications enable cache backends and opt nodes into caching. The vulnerability occurs because the default serializer uses pickle deserialization (a Python feature that can execute arbitrary code) as a fallback when other serialization methods fail, allowing attackers who can write to the cache to execute malicious code.

The zae-limiter library has a security flaw where all rate limit buckets for a single user share the same DynamoDB partition key (the identifier that determines which storage location holds the data), allowing a high-traffic user to exceed DynamoDB's write limits and cause service slowdowns for that user and potentially others sharing the same partition. This vulnerability affects multi-tenant systems, like shared LLM proxies (AI services shared across multiple customers), where one customer's heavy traffic can degrade service for others.

n8n, a workflow automation tool, has a vulnerability where authenticated users with permission to create or modify workflows can exploit expression evaluation (the process of interpreting code within workflow parameters) to execute arbitrary system commands on the host server. This is a serious security flaw because it allows attackers to run unintended commands on the underlying system.

Flaws have been discovered in Claude (an AI assistant) that can put developers' computers at risk when Claude is used in software development workflows. These vulnerabilities could potentially affect supply chains, which are the networks of companies and systems that work together to deliver software and products.

n8n (a workflow automation tool) has a vulnerability where an authenticated user with workflow editing permissions could combine the Read/Write Files from Disk node (a component that modifies files on the server) with git operations (version control commands) to execute arbitrary shell commands (any commands an attacker chooses) on the n8n server. This requires the attacker to already have valid user access.

n8n, a workflow automation tool, has a vulnerability where authenticated users with workflow editing permissions could use the Merge node's SQL query mode to execute arbitrary code (running any commands they want on the server) and write files to the n8n server. This is a serious security issue because it lets trusted insiders cause significant damage.

n8n, a workflow automation tool, has a sandbox escape vulnerability in its JavaScript Task Runner that lets authenticated users run code outside the sandbox (a restricted environment for running untrusted code). On default setups, this could give attackers full control of the n8n server, while on systems using external task runners, attackers could impact other workflows.

n8n had a vulnerability in its Form nodes where an unauthenticated attacker could inject malicious code by submitting specially crafted form data that starts with an equals sign (=), which the system would then execute as an expression. While this vulnerability alone is limited, it could potentially lead to remote code execution if combined with another type of attack that bypasses n8n's expression sandbox (a security boundary that restricts what code can access).

Google and Samsung announced that Gemini, Google's AI assistant, will soon handle multi-step tasks on phones like ordering food or booking rides, starting with Pixel 10 and Galaxy S26 phones. This represents agentic AI features (AI that can take multiple actions toward a goal) that Apple had planned for Siri but delayed in March 2025 and hasn't yet released.