AI Sec Watch

WeKnora has a vulnerability where a malicious MCP server (a remote tool provider that integrates with AI clients) can hijack legitimate tools by exploiting how tool names are generated. An attacker registers a fake tool with the same name as a real one (like `tavily_extract`), which overwrites the legitimate version in the tool registry (the list of available tools). The attacker can then trick the LLM into executing their malicious tool and leak sensitive information like system prompts through prompt injection (hiding instructions in tool outputs that the AI treats as commands).

WeKnora has a broken access control vulnerability (BOLA, or broken object-level authorization, where an attacker can access resources they shouldn't by manipulating object IDs) in its tenant management system that allows any authenticated user to read, modify, or delete any tenant without permission checks. Since anyone can register an account, attackers can exploit this to take over or destroy other organizations' accounts and access their sensitive data like API keys.

Palantir's stock rallied 15% this week after the U.S. attacked Iran, because the company relies on government spending for about 60% of its revenue and works heavily with military and intelligence agencies. Wall Street showed little concern about the U.S. government blacklisting Anthropic (an AI company that had partnered with Palantir on defense projects), as analysts noted there are alternative AI models available and that replacing Anthropic's systems will take time but is manageable.

Flowise incorrectly whitelisted the NVIDIA NIM router (`/api/v1/nvidia-nim/*`) in its authentication middleware, allowing anyone to access sensitive endpoints without logging in. This lets attackers steal NVIDIA API tokens, manipulate Docker containers, and cause denial of service attacks without needing valid credentials.

Flowise has a critical IDOR (insecure direct object reference, a flaw where an app trusts user input to identify which data to access without checking permissions) vulnerability in its login configuration endpoint. An attacker with a free account can modify any organization's single sign-on settings by simply specifying a different organization ID, enabling account takeover by redirecting logins to attacker-controlled credentials and bypassing enterprise license restrictions.

A mass assignment vulnerability (a type of attack where an attacker controls internal fields by sending them in a request) exists in Flowise's `/api/v1/leads` endpoint, allowing unauthenticated users to override auto-generated fields like `id`, `createdDate`, and `chatId` by including them in the request body. The vulnerability occurs because the code uses `Object.assign()` to copy all properties from user input directly into the database entity without filtering, bypassing the intended auto-generation of these fields.

London Mayor Sadiq Khan invited AI company Anthropic to expand in the city after the U.S. Pentagon designated it a supply chain risk (a label meaning the government views the company as not secure enough to work with) because Anthropic refused to give defense agencies unrestricted access to its AI tools and raised concerns about using its Claude model for mass surveillance or autonomous military targeting. The company plans to challenge the Pentagon's designation in court, and Microsoft announced it would continue using Anthropic's technology except for the U.S. Department of Defense.

Agentgateway is an open source data plane (a software layer that handles data movement for AI agents working across different frameworks) that had a security flaw in versions before 0.12.0, where user input in paths, query parameters, and headers were not properly cleaned up when converting tool requests to OpenAPI format. This lack of input validation (CWE-20, checking that data matches expected rules) could potentially be exploited, but the vulnerability has been patched.

Amazon announced that AWS customers can continue using Anthropic's Claude AI models for all work except Department of Defense projects, after the federal government labeled Anthropic a "supply chain risk." Anthropic says it will challenge this designation in court, and major cloud providers (Amazon, Microsoft, and Google) are helping customers transition to alternative AI models for defense-related work.