AI Sec Watch

Twenty, an open-source CRM platform, had a vulnerability before version 2.9.0 where authenticated users could access other workspaces' AI agent data through IDOR (insecure direct object reference, a flaw where the system doesn't verify that requested data belongs to the user). Attackers with access to a workspace could view other users' chat histories, tool calls, and outputs by knowing their agent or turn IDs, which were visible in the settings page URL.

A U.S. Congresswoman claimed her staff used AI only for "spellcheck" when writing a summary of a defense bill amendment, not for drafting the actual legislation. Screenshots shared online showed what appeared to be Claude (an AI assistant) being used to generate the amendment summary, prompting the congresswoman to deny that AI was used to write any actual laws.

LlamaIndex v0.14.23 is a maintenance release that updates dependencies (uv and pip, which are Python package managers) across multiple directories and fixes various bugs in the core library. Key fixes include handling empty input sequences, preserving video and document blocks in memory, resolving recursion errors in text splitting, and preventing state mutation issues in workflows.

A vulnerability in Firebase Studio (Google's backend service for building apps) allowed authenticated users to access and download source code and list storage buckets belonging to other users' projects. The vulnerability has already been fixed and deployed to the backend service.

The article explains that while casual prompt testing (trying unusual inputs to see if an AI refuses them) is accessible to anyone, it is insufficient for enterprise AI systems. Enterprise AI is more complex because it includes policies, retrieval pipelines (systems that fetch information from databases), APIs (interfaces allowing programs to communicate), tools, permissions, workflows, and data sources, requiring more rigorous testing approaches.

Warp is an agentic development environment (a tool that helps developers write code with AI assistance) that contained a command injection vulnerability (a flaw where specially crafted input can trick a system into running unintended commands) in its branch selector feature. An attacker who could publish a malicious Git branch name to a repository could cause that branch name to be executed as a shell command (instructions sent directly to the operating system) when a victim selected it from Warp's user interface.

Docling is a tool that converts documents in different formats and connects them with AI systems. Between versions 2.73.0 and 2.91.0, it had a security flaw in how it processed LaTeX files (a document formatting language), where attackers could use path traversal (a technique to access files outside intended directories) to read sensitive files like credentials or configuration data from a system.

Docling is a tool that reads different document formats and connects them to AI systems. Versions 2.13.0 through 2.74.0 had a security flaw in how they read USPTO patent XML files (XML, a format for storing structured data): they didn't protect against XXE attacks (XML External Entity attacks, where specially crafted files trick the parser into reading files from the server or making unwanted network requests). An attacker could use this flaw to steal files, perform SSRF attacks (server-side request forgery, making the server request data it shouldn't), or crash the system.

Docling is a tool that processes documents in different formats and connects with AI systems. Before version 2.91.0, it had a security flaw where it downloaded AI models (EasyOCR) and extracted compressed files (ZIP archives) without checking if the file paths were safe, allowing a Zip Slip attack (a technique where specially crafted archive files extract to unintended locations). If an attacker could intercept or compromise the model download, they could write malicious files anywhere on the system, potentially taking complete control of it.