AI Sec Watch

Google is adding a feature called "notebooks" to Gemini (its AI chatbot) that lets users organize files, past conversations, and custom instructions about specific topics in one place. Gemini can then use this organized information as context (background information the AI considers) when answering questions, similar to ChatGPT's Projects feature from 2024.

CyberAgent, a Japanese internet company, adopted ChatGPT Enterprise and Codex to make AI a foundational technology across their organization rather than just an isolated initiative. The company faced challenges around security concerns and uncertainty about what data could safely be shared with AI tools, which slowed adoption and created inconsistent usage across departments.

A federal appeals court in Washington, D.C. denied Anthropic's request to temporarily block the Department of Defense's blacklisting of the company as a supply chain risk (a designation claiming the company's technology threatens U.S. national security). The ruling means Anthropic is excluded from DOD contracts, though a separate court earlier granted Anthropic an injunction allowing it to continue working with other government agencies while the lawsuit challenging the blacklisting continues.

OpenAI's CFO announced that the company plans to reserve shares for individual investors when it goes public through an initial public offering (IPO, the first time a private company sells shares to the public). The company saw strong demand from regular retail investors during its recent funding round and wants to ensure broad public participation in ownership, following models used by other companies like Tesla and Block.

Anthropic has developed an AI model called Claude Mythos that is unusually good at finding software vulnerabilities (security weaknesses in code), and it discovered thousands of these flaws in commonly-used applications that don't yet have fixes available. The company decided not to release Mythos widely to the public because they worry it could enable widespread hacking, and instead partnered with cybersecurity specialists to improve defenses before wider distribution.

Amazon Bedrock AgentCore's starter toolkit automatically creates overly broad IAM roles (identity and access management policies that control what actions software can perform) that grant a single AI agent excessive permissions across an entire AWS account, enabling an attack called Agent God Mode. If compromised, an attacker could exploit these permissions to access other agents' memories, steal container images, and extract sensitive data. AWS updated its documentation to warn that the default roles are only for development and testing, not production use.

PraisonAI has a critical vulnerability where the `execute_command` function and workflow shell execution pass user-controlled input directly to `subprocess.run()` with `shell=True`, allowing attackers to inject arbitrary shell commands through YAML workflow files, agent configurations, and LLM-generated tool calls by exploiting shell metacharacters like semicolons and pipes.

LangChain had incomplete validation of f-string templates (a Python feature for inserting variables into text) in some prompt template classes. Attackers who could control the template structure could use attribute access (like `object.field`) or indexing (like `array[0]`) to expose internal data from Python objects being formatted. This issue only affected applications that allow untrusted users to write templates, not those using hardcoded templates or only letting users provide variable values.

A security vulnerability (CVE-2026-5803) was found in bigsk1 openai-realtime-ui that allows attackers to perform SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to other systems) through the API Proxy Endpoint in server.js by manipulating a query argument, and this flaw can be exploited remotely. The product uses continuous delivery with rolling releases, so specific affected versions are not documented.