All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Paperclip, an agent management system, has a critical authorization bypass vulnerability where three API endpoints for managing agent API keys (`POST /api/agents/:id/keys`, `GET /api/agents/:id/keys`, and `DELETE /api/agents/:id/keys/:keyId`) only verify that a user is logged in, but fail to check if they belong to the company that owns the target agent. This allows any authenticated user to create plaintext API tokens for agents in other companies, effectively bypassing the multi-tenant security boundary (the separation that prevents one company's data from being accessed by another).
Paperclip AI v2026.403.0 contains a critical OS command injection vulnerability in its execution workspace lifecycle. An attacker can inject arbitrary shell commands into the `cleanupCommand` field (a parameter that specifies what to clean up after a workspace closes) via the `PATCH /api/execution-workspaces/:id` endpoint, and these commands are executed without any validation when the workspace is archived. In the default `local_trusted` deployment mode, this attack requires no authentication and works on Linux, macOS, and Windows systems with Git installed.
A Paperclip-managed `codex_local` runtime (a local code execution environment) could access and use a Gmail connector that was only connected in the ChatGPT/OpenAI apps UI, not explicitly set up in Paperclip itself. This trust-boundary failure (a security gap between two systems that should be isolated) allowed the runtime to read emails and send real emails from the user's Gmail account without permission. The vulnerability was made worse because `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, meaning approval checks and execution restrictions are disabled by default.
Paperclip, an AI agent platform, has a critical vulnerability where malicious skills can execute arbitrary shell commands on the server through an unsanitized `runtimeConfig` parameter, allowing attackers to steal sensitive credentials like API keys, database passwords, and authentication secrets stored in environment variables.
Cisco released security advisories for three critical vulnerabilities in Webex and Identity Services Engine (ISE) that could allow attackers to impersonate users, execute remote code (run commands on systems they don't control), or bypass access controls. The most urgent fix involves Webex administrators uploading a new identity provider (IdP, a service that verifies user identities) SAML certificate to the cloud-based Control Hub management portal, with no alternative workarounds available.
AI agent tools that use Model Context Protocol (MCP, a method for applications to expose data and tools to AI systems) over STDIO (a local communication method) have unsafe default settings that allow remote code execution, where attackers can run commands on systems they don't own. Anthropic and other framework developers argue that client application developers are responsible for filtering malicious commands, but researchers found that most developers either don't filter these commands or fail to catch all bypass techniques, leaving thousands of public servers and commercial systems vulnerable.
Flowise version 3.0.12 contains an authentication bypass vulnerability in its resetPassword function that allows attackers to reset any user's password without authorization. The flaw exists because the resetPassword method fails to verify that a password reset token was actually generated for an account, allowing attackers to submit null or empty string tokens (which are the default values) to bypass authentication and change passwords for users whose accounts were recently created.
Flowise's GraphCypherQAChain node has a cypher injection vulnerability (CWE-943, where attackers inject malicious database commands into user input without sanitization). An attacker with access to a vulnerable chatflow can execute arbitrary Cypher commands on the connected Neo4j database (a graph database), allowing them to read, modify, or delete data.
Flowise's password reset feature sends reset links over HTTP (an unencrypted protocol) instead of HTTPS (encrypted protocol), allowing attackers on the same network (like public Wi-Fi) to intercept the link through a man-in-the-middle attack (where someone secretly reads data between two parties) and take over user accounts.
Flowise has a security flaw where unauthenticated users can obtain OAuth 2.0 access tokens (credentials that grant access to third-party services like Gmail) from public chatflows. An attacker can first retrieve internal workflow data including credential identifiers from a public endpoint, then use those identifiers to refresh OAuth tokens without any authentication checks, potentially gaining unauthorized access to connected services.
FlowiseAI versions 2.2.1 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability, where an attacker can inject malicious prompt templates into the API Chain components to trick the system into making HTTP requests to internal or external services it shouldn't access. Since the system trusts the LLM (language model) to generate URLs based on API documentation without validating them, attackers can provide fake documentation pointing to sensitive internal services, potentially exposing internal networks and data.
Flowise contains security flaws in its SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems) protection code. Two main issues exist: by default, the deny list is not enforced if an environment variable is not set, allowing requests to localhost, and attackers can use DNS rebinding (TOCTOU, time-of-check time-of-use, where a domain's IP address changes between when the server checks it and when it connects) to bypass IP validation checks.
Flowise has a security flaw in its Custom Function feature where SSRF (Server-Side Request Forgery, a type of attack where a server is tricked into making unwanted network requests) protection only covers two libraries (axios and node-fetch) but leaves built-in Node.js modules like http, https, and net unprotected. This allows authenticated users to bypass the security controls and access internal network resources, such as cloud provider metadata services that contain sensitive credentials.
FlowiseAI has a file upload validation bypass vulnerability in its Chatflow configuration where attackers can modify settings to allow the application/javascript MIME type (a file format label), enabling them to upload malicious .js (JavaScript) files even though the interface normally blocks them. These uploaded files can become persistent web shells (programs that let attackers run commands on the server), potentially leading to RCE (remote code execution, where an attacker can run arbitrary commands on the system).
Flowise has a critical unauthenticated remote command execution (RCE) vulnerability that allows attackers to run arbitrary system commands with root privileges. The flaw exists in a validation check that uses `.includes()` instead of `.startsWith()` to filter the `FILE-STORAGE::` keyword, which an attacker can bypass by embedding it anywhere in a string (like in a comment). When bypassed, this allows the attacker to inject malicious values into the `mcpServerConfig` parameter and use `NODE_OPTIONS` environment variable injection to execute arbitrary code, but only if the chatflow has API Override enabled, is publicly shared, and contains a Custom MCP tool node.
A Flowise endpoint called /api/v1/public-chatbotConfig/:id exposes sensitive information like API keys and authentication headers without requiring a password or login. An attacker who knows only a chatflow UUID (a unique identifier for a workflow) can retrieve stored credentials and internal URLs by sending a simple web request to this endpoint.
Flowise Cloud has a mass assignment vulnerability (JSON injection, where attackers can hide malicious data in JSON input) in its account registration endpoint that allows unauthenticated attackers to inject server-managed fields like organization IDs and role assignments during account creation. This breaks trust boundaries in the multi-tenant environment (a system serving multiple separate organizations) by letting attackers associate their new accounts with existing organizations they don't own, gaining unauthorized access and escalated privileges.
Flowise's CSVAgent has a code injection vulnerability where user-provided custom Pandas CSV read code is inserted directly into executable Python code without sanitization, allowing an authenticated attacker to execute arbitrary commands on the server (RCE, or remote code execution). An attacker can create a malicious chat flow and trigger it via API requests to run commands like `os.system()` through the `pyodide` Python runtime.
Flowise's AirtableAgent has a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability because user input is inserted directly into Python code without sanitization. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to bypass the intended behavior and execute arbitrary code when the system processes Pandas (a Python library for working with data) operations.
Fix: For the Webex vulnerability (CVE-2026-20184): Admins must upload a new identity provider SAML certificate to Webex Control Hub. The Webex support article on managing SSO integration directs customers to the Control Hub Alerts center to view installed certificates and their status, and provides an SSO wizard tool with step-by-step details to aid in updating certificates. For ISE vulnerabilities (CVE-2026-20147, CVE-2026-20148, CVE-2026-20180, CVE-2026-20186): The source states that Cisco issued patches but does not provide explicit update instructions or version numbers in the provided text.
CSO OnlineNIST (the National Institute of Standards and Technology, a U.S. agency that maintains a database of known security vulnerabilities) has announced it can no longer analyze all reported security flaws due to overwhelming volume, so it will focus only on the most critical ones. Starting immediately, NIST will prioritize enrichment (adding detailed analysis and severity ratings) for vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog and those affecting federal government software, while all other CVEs (common vulnerabilities and exposures, a standard way of naming security flaws) will be added to the database but marked as "not scheduled" for analysis. The backlog has grown to over 30,000 unanalyzed vulnerabilities, driven partly by AI tools that can now automatically discover both real and false security flaws at unprecedented rates.
Fix: NIST will focus on CVEs appearing in CISA's Known Exploited Vulnerabilities (KEV) catalog, aiming to "enrich these within one business day of receipt." High-priority CVEs will also include those for software used in the federal government and other critical software. Security leaders should take stock of their technology inventories to determine whether their systems fall under NIST's priority list.
CSO OnlineFix: The source states: 'Ensure all sensitive URLs, especially password reset links, are generated and transmitted over secure https:// endpoints only.' It also recommends using HTTPS in all password-related email links and implementing HSTS (HTTP Strict Transport Security, a setting that forces browsers to use encrypted connections).
GitHub Advisory Database