AI Sec Watch

ONNX's `save_external_data` method contains a TOCTOU vulnerability (time-of-check-time-of-use, a gap between checking if a file exists and using it) that allows attackers to overwrite arbitrary files by creating symlinks (shortcuts to other files) between those two operations. The code also has a potential path validation bypass on Windows systems that may allow absolute paths to be used.

PraisonAI's `FileTools.download_file()` function has a security flaw called SSRF (server-side request forgery, where a server is tricked into making requests to unintended targets) because it doesn't validate URLs before downloading files. An attacker can make it download from internal services or cloud metadata endpoints, potentially stealing credentials or accessing restricted information.

PraisonAI's SubprocessSandbox has a critical security flaw where it uses `shell=True` (a setting that makes subprocess execute commands through a shell) and only blocks certain command names, but doesn't block `sh` or `bash` executables, allowing attackers to escape the sandbox by running commands like `sh -c '<command>'` even in STRICT mode. This means security protections meant to isolate untrusted AI code can be bypassed, giving attackers access to the network, files, and system information.

PraisonAI's `passthrough()` function accepts a user-controlled `api_base` parameter (the server address to send requests to) and uses it without validation when the primary request method fails. This allows an attacker to make the server send requests to any address it can reach, including internal services like cloud metadata servers that contain sensitive credentials, a vulnerability called SSRF (server-side request forgery, where an attacker tricks a server into requesting internal resources). The flaw affects PraisonAI version 1.5.87 and potentially others.

PraisonAI's `run_python()` function has a shell injection vulnerability (a security flaw where attackers can sneak in operating system commands) because it doesn't properly escape shell metacharacters like `$()` and backticks when building commands. An attacker can inject arbitrary OS commands by embedding `$()` in code passed to the function, leading to full command execution on the system.

The `execute_code()` function in PraisonAI uses a sandbox to restrict what Python code can do, but attackers can bypass all three security layers by creating a custom `str` subclass (a modified version of the string type) with an overridden `startswith()` method, allowing them to run arbitrary OS commands on the host system. This is especially dangerous because many deployments auto-approve code execution without human review, so an attacker could trigger the vulnerability silently through indirect prompt injection (sneaking malicious instructions into the AI's input).

datasette-llm 0.1a6 is a plugin (add-on software) that helps integrate LLMs into the datasette data tool. This release simplifies configuration by automatically adding a default model to the allowed models list, so developers don't have to list the same model ID twice.

This is an announcement about datasette-enrichments-llm version 0.2a1, a tool that combines datasette (a database publishing platform), llm (a language model interface), and enrichments (adding extra data to existing information). The post is from Simon Willison dated April 1st, 2026, and appears to be part of a monthly briefing about LLM developments.

Anthropic was developing Claude Mythos, an advanced AI model with improved abilities in vulnerability discovery (finding weaknesses in software) and exploit development (creating tools to attack those weaknesses). This capability means AI can now help attackers find and exploit security flaws more quickly and at larger scale than before, making cyber defense significantly more challenging.