AI Sec Watch

Flowise versions up to 3.0.13 have a remote code execution vulnerability in the Airtable Agent node where user input is sent to an LLM (large language model, an AI that generates text) to generate Python code, which is then executed without proper sandboxing. An attacker can craft malicious prompts that trick the LLM into generating code containing dangerous commands (like imports or system operations) that bypass the validation checks, allowing them to run arbitrary code on the server without needing to log in.

Anthropic, an AI company, met with White House officials after releasing Claude Mythos, an AI tool that can find bugs in old code and autonomously exploit them for security testing. The meeting signals potential collaboration between the government and Anthropic despite previous tensions, as officials discussed balancing innovation with safety concerns around this powerful technology.

Researchers have developed BioGuard, a defense method that protects biometric classifiers (AI systems that identify people using fingerprints, faces, or iris scans) against model extraction attacks (where attackers try to steal or copy the AI model by repeatedly querying it). The method works without needing malicious sample data to train it, making it practical for real-world deployment.

OpenAI experienced multiple executive departures, including the leaders of its video generation product (Sora) and its scientific research division. The company is reorganizing its science team to work more closely with product and infrastructure groups, while also dealing with medical leaves and transitions among other senior leaders.

Cerebras, a company that makes specialized chips for running AI models, filed to go public on Nasdaq after previously canceling IPO plans in 2024. The company reported strong financial growth in 2025 with $510 million in revenue (up 76% from 2024) and has major deals with OpenAI (worth over $20 billion for computing power through 2028) and Amazon, positioning itself as an alternative to Nvidia's GPUs (graphics processing units, specialized processors commonly used for AI tasks) by claiming faster speeds and lower costs.

A researcher discovered that Claude Opus 4.7 can be tricked using an adversarial image (a specially crafted image designed to fool AI systems) generated by ChatGPT to misuse the memory tool and store false information for future conversations. While Claude Opus 4.6+ is harder to attack than earlier versions because it reasons through requests before acting, it remains vulnerable to this type of indirect prompt injection (embedding hidden malicious instructions in images rather than text).

OpenTelemetry eBPF Instrumentation (OBI) has a vulnerability where a local attacker controlling a Java process can overwrite arbitrary host files when Java injection is enabled and OBI runs with elevated privileges (special system permissions). The flaw occurs because the injector trusts an environment variable called TMPDIR from the target process without proper validation, and uses unsafe file creation methods that allow symlink attacks (where an attacker creates a link pointing to a different file to trick the system into overwriting it).

Claude Code on Windows had a security flaw where it loaded configuration files from a shared system directory without checking who owned that directory or had permission to change it. Since regular users could write to this directory by default, an attacker could create a malicious configuration file that would run with elevated privileges when another user launched Claude Code, allowing a local privilege escalation (unauthorized access to higher-level permissions).

QQBot media tags in the openclaw package could read arbitrary local files through reply text by referencing host-local paths outside the intended media storage boundary, allowing attackers to disclose local files through outbound media handling. This vulnerability affected openclaw versions before 2026.4.10.