AI Sec Watch

LiteLLM is a proxy server (an intermediary that forwards requests between clients and AI language model APIs) that had a critical vulnerability in versions 1.74.2 through 1.83.6. Two test endpoints allowed users to submit server configurations that could execute arbitrary commands (running any code an attacker wants) on the server itself, as long as they had a valid API key, even a low-privilege one.

PromptHub versions 0.4.9 to before 0.5.4 contain an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into fetching URLs they control). An authenticated endpoint allows users to supply a URL that the server fetches and returns the response, but the security check meant to block private IP addresses (internal network addresses) can be bypassed using alternate IPv6 (internet protocol version 6, the newer internet addressing system) representations. Any registered user can exploit this, or anyone on the internet if registration is enabled.

LiteLLM, a proxy server (intermediary program that forwards requests to different AI APIs) versions 1.81.16 through 1.83.6, has a SQL injection vulnerability (a flaw where attackers insert malicious code into database queries by manipulating user inputs). An unauthenticated attacker could craft a fake Authorization header to read or modify data stored in the proxy's database, potentially gaining unauthorized access to stored API credentials.

LiteLLM is a proxy server (a middleman that forwards requests to AI language model APIs) that had a security flaw in versions 1.80.5 through 1.83.6 in its POST /prompts/test endpoint. This endpoint took user-supplied prompt templates and ran them without sandboxing (isolating them in a restricted environment), allowing attackers with valid API keys to execute arbitrary code (running any commands they want) on the server, potentially stealing secrets like API keys or database passwords.

Major AI chatbots like ChatGPT, Gemini, Grok, and Claude have safety features designed to prevent them from producing harmful content such as hate speech, criminal instructions, and exploitation material. However, people called 'AI jailbreakers' deliberately try to bypass these safety restrictions, and journalist Jamie Bartlett explores why they do this and what it reveals about how large language models (AI systems trained on huge amounts of text data) actually work.

The utcp-http plugin has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests on their behalf) that lets attackers redirect the tool to access internal systems. An attacker can host a fake OpenAPI specification (a standard format describing API endpoints) on a legitimate HTTPS server, but include instructions to access internal addresses like cloud metadata servers. The plugin didn't properly validate these addresses before making requests, allowing attackers to expose sensitive data or internal services to the LLM.

Cloudflare's stock dropped 18% after the company announced it would cut 1,100 employees (20% of its workforce) because agentic AI (AI systems that can autonomously plan and execute tasks) has fundamentally changed what jobs the company needs. Despite beating earnings expectations with strong revenue growth of 34% year-over-year, CEO Matthew Prince stated that the company's AI usage increased over 600% in three months as it shifts to an AI-first operating model, making many current roles obsolete.

CVE-2026-35435 is a vulnerability in Azure AI Foundry M365 published agents where improper access control (weak rules about who can access what) allows an unauthorized attacker to gain higher privileges over a network. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) assessment that has not yet been provided by NIST.

CVE-2026-33111 is a command injection vulnerability (where an attacker inserts malicious commands into user input) in Copilot Chat for Microsoft Edge that could allow an unauthorized attacker to disclose information over a network. The vulnerability stems from improper handling of special characters in commands. No severity score has been assigned yet by NIST.