AI Sec Watch

Open WebUI's `/api/v1/retrieval/` endpoint exposes RAG (retrieval-augmented generation, a technique where an AI pulls in external documents to answer questions) configuration details like embedding models and chunking parameters to anyone on the internet without requiring login credentials. An attacker can make a single HTTP request to discover the AI infrastructure setup and craft attacks that exploit how documents are split and retrieved.

Open WebUI has a security flaw where an internal-only parameter called `bypass_filter` is accidentally exposed through the HTTP query string on chat endpoints. Any authenticated user can append `?bypass_filter=true` to requests, which skips access control checks (the rules that prevent regular users from using admin-restricted models), allowing them to use models they shouldn't have permission to access.

In Open WebUI v0.6.40, a regular user can view the system prompt (the hidden instructions that control how an AI model behaves) that an admin set up, by making a simple web request to /api/models. This exposes confidential information because attackers can learn how the model works internally and potentially manipulate its behavior.

This is a routine release (v0.14.22) of LlamaIndex, an AI framework for building applications with large language models. The update includes multiple dependency updates across 55 directories, fixes to embedding events and memory handling, a new multimodal synthesis feature, and security improvements to prevent unintended data mutation in LLM responses.

Open WebUI has a stored cross-site scripting (XSS) vulnerability in its SVG renderer, meaning an attacker can permanently save malicious HTML and JavaScript code that runs when other users view it. An attacker can trick the SVG editor into executing arbitrary code by adding malicious payloads like `<img src=a onerror=alert(document.domain)>`, which could be used to steal sensitive data or take over user accounts when the compromised conversation is shared.

Open WebUI has a security flaw where API key restrictions can be bypassed by using the `x-api-key` header (a custom header for authentication) instead of the standard `Authorization` header. An admin can restrict what endpoints an API key can access, but the same key sent via `x-api-key` bypasses these restrictions entirely and allows full access to protected endpoints like the messages API.

A vulnerability in Amazon SageMaker Python SDK (a tool for building machine learning models on AWS) allows an attacker with write access to S3 (Amazon's cloud storage service) to execute malicious code by replacing model files with a specially crafted pickle file (a Python format for storing objects) that isn't checked for authenticity before being used. This only affects versions before v2.257.2 and v3.8.0, and requires the attacker to already have permission to write to the storage location.

Amazon SageMaker Python SDK has two critical vulnerabilities in its model deployment tools. CVE-2026-8596 exposes an encryption key as plaintext in APIs, allowing attackers to forge signatures and run malicious code, while CVE-2026-8597 skips integrity checks when loading model files, letting attackers replace them with malicious code that executes without verification. Both vulnerabilities require the attacker to have certain AWS permissions and access to model storage.

OpenAI is adding Codex, its AI tool that can write code and control applications on computers, to the ChatGPT mobile app so users can access it from their phones. This move responds to competition from Anthropic's Claude Code, and follows OpenAI's recent major update that enabled Codex to operate apps on macOS computers.