AI Sec Watch

MLflow contains a vulnerability (CVE-2026-2635) where hard-coded default credentials are stored in the basic_auth.ini file, allowing remote attackers to bypass authentication without needing valid login information and potentially execute code with administrator privileges. This flaw exploits the use of default passwords, a common security mistake where systems ship with unchangeable built-in login credentials.

TensorFlow has a vulnerability where it loads plugins from an unsafe location, allowing attackers who already have low-level access to a system to gain higher privileges (privilege escalation, where an attacker gains elevated permissions to do things they normally couldn't). An attacker exploiting this flaw could run arbitrary code (any commands they choose) with the same permissions as the target user.

MLflow Tracking Server has a directory traversal (a flaw where an attacker uses special path characters like '../' to access files outside intended directories) vulnerability in its artifact file handler that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability exists because the server doesn't properly validate file paths before using them in operations, letting attackers run code with the permissions of the service account running MLflow.

OpenAI is lowering its compute spending target to around $600 billion by 2030, down from a previously announced $1.4 trillion, because investors worried the company's expansion plans were too ambitious compared to expected revenue. The company projects $280 billion in revenue by 2030 and is raising over $100 billion in funding to support its infrastructure investments and compete with rivals like Google and Anthropic.

Taalas, a Canadian hardware startup, has created custom silicon (specialized computer chips) that runs Llama 3.1 8B (a type of AI language model that processes text) at 17,000 tokens per second (units of text the AI can process). The hardware uses aggressive quantization (a technique that compresses the model by reducing precision of its numerical values) with 3-bit and 6-bit parameters (different levels of data compression), and their next version will use 4-bit compression.

OpenClaw's ACP bridge (a local communication protocol for IDE integrations) didn't check prompt size limits before processing, causing the system to accept and forward extremely large text blocks that could slow down local sessions and increase API costs. The vulnerability only affects local clients sending unusually large inputs, with no remote attack risk.

This advisory describes a vulnerability in Google Cloud Vertex AI related to predictable bucket naming (a bucket is a container for storing data in cloud storage). The content provided explains the framework used to assess vulnerability severity through metrics like attack vector, complexity, and required privileges, but does not describe the actual vulnerability details, its impact, or how it affects users.

This advisory describes a stored XSS (cross-site scripting, where malicious code is saved and executed when users view a webpage) vulnerability in Google Cloud Vertex AI SDK. The text provided explains the CVSS scoring framework (a 0-10 rating system for vulnerability severity) used to evaluate this vulnerability, covering factors like how an attacker could exploit it, what privileges they need, and what systems could be impacted.

Ray's dashboard HTTP server (a web interface for monitoring Ray clusters) doesn't block DELETE requests from browsers, even though it blocks POST and PUT requests. This allows someone on the same network or using DNS rebinding (tricking a domain to point to a local address) to shut down Serve (Ray's serving system) or delete jobs without authentication, since token-based auth is disabled by default. The attack requires no user interaction beyond visiting a malicious webpage.