All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A developer is redesigning the abstraction layer (a simplified interface that handles communication with many different AI services) of their LLM Python library to support new vendor features like server-side tool execution (where the AI provider runs code on their servers rather than the user's computer). They used Claude Code to analyze Python client libraries from major AI vendors and generate test commands to understand how these services handle both streaming (real-time data flow) and non-streaming data across different scenarios.
Anthropic's source code for Claude Code (an AI coding tool) was accidentally made public, and hackers have been reposting it on GitHub with infostealer malware (software that steals personal information) embedded in the code. Anthropic has been trying to remove the leaked copies by issuing copyright takedown notices, initially targeting over 8,000 repositories before narrowing efforts to 96 copies.
Directus had a vulnerability where attackers could send a single GraphQL query (a language for requesting data from APIs) with multiple aliases (repeated requests for the same field with different names) to the health check endpoint without authentication, causing the system to run expensive checks repeatedly and exhaust resources like database connections and storage. This could crash the service for all users.
Directus has a security flaw in its TUS resumable upload endpoint (a feature that lets users upload files in chunks) that lets any authenticated user overwrite any file in the system by specifying its UUID (unique identifier), bypassing row-level permissions (rules like 'users can only edit their own files'). This can lead to permanent data loss and allow low-privilege users to replace important files with malicious content.
Directus had a security gap where turning off GraphQL introspection (a setting that hides database schema details from users) didn't actually work completely. Even though standard introspection queries were blocked, a different endpoint called `/graphql/system` still returned the same schema information in SDL format (schema definition language, a text representation of a database structure), allowing unauthenticated users to see what data collections and fields existed in the system.
Budibase has a path traversal vulnerability in its plugin upload endpoint where user-supplied filenames are not sanitized before being passed to filesystem operations. An attacker with Global Builder privileges can craft an upload with filenames containing `../` sequences to delete arbitrary directories or write files anywhere on the system that the Node.js process can access, potentially causing data loss or denial of service (making the application unavailable).
Anthropic is changing its policy so Claude users can no longer use their subscription to access OpenClaw (a third-party tool that integrates with Claude), forcing them to pay separately instead. The change takes effect April 4th, and may be motivated by Anthropic wanting to promote its own competing tools like Claude Cowork.
BentoML's Dockerfile generation uses an unsandboxed Jinja2 template engine (a tool that processes template files with dynamic code) with dangerous extensions enabled, allowing attackers to embed malicious code in a template file. When a victim imports a malicious bento archive and runs the containerize command, the attacker's code executes directly on the victim's host machine before any container isolation happens, rather than inside a container where it would be restricted.
Fidji Simo, OpenAI's product and business chief, announced she is taking medical leave to manage a worsening neuroimmune condition called POTS (Postural Orthostatic Tachycardia Syndrome, a disorder that makes it hard to keep blood pressure steady). She also announced several leadership changes, including that OpenAI President Greg Brockman will oversee product during her absence, and that marketing chief Kate Rouch is stepping down to focus on cancer recovery.
BentoML has a command injection vulnerability in its cloud deployment setup script where user-supplied system packages are inserted directly into shell commands without proper escaping. An attacker can craft a malicious bentofile.yaml file that executes arbitrary commands on BentoCloud's build infrastructure (the servers that prepare applications for deployment) when the application is deployed, potentially stealing secrets or compromising the infrastructure.
LiteLLM had a security flaw where JWT authentication (a method to verify user identity using encoded tokens) could be bypassed through a cache key collision. When JWT authentication was enabled, the system only used the first 20 characters of a token as a cache key, and since different tokens from the same signing algorithm could have identical first 20 characters, an attacker could create a fake token matching a legitimate user's cached token and gain their permissions. The flaw only affects deployments with JWT/OIDC authentication explicitly enabled, which is not the default configuration.
LiteLLM had a security flaw where an authenticated user could access a configuration endpoint (`/config/update`) without needing admin permissions, allowing them to modify settings, run malicious code, read files, or take over admin accounts. The vulnerability affected any user who already had login access to the system.
Mesop, a web framework, has a vulnerability in its WebSocket (a protocol for real-time two-way communication between client and server) handler where it creates a new operating system thread for every incoming message without any limits. An attacker can send thousands of messages rapidly, exhausting the server's thread capacity and causing an Out of Memory error that crashes the application for all users.
vLLM's `VideoMediaIO.load_base64()` method has a vulnerability where it processes `video/jpeg` data URLs (a vLLM-specific format for sending multiple JPEG frames) without limiting how many frames can be included. An attacker can send thousands of comma-separated base64-encoded JPEG frames in a single API request, causing the server to decode all of them into memory at once and crash due to running out of memory (OOM, or out-of-memory error).
vLLM (a language model serving framework) has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) in its batch processing feature. An attacker who can submit batch input JSON can make the vLLM server send arbitrary HTTP requests to any URL, including internal services like cloud metadata endpoints, because the `download_bytes_from_url` function has no restrictions on which domains or IP addresses it will contact.
This is a survey paper published in an academic journal that reviews recent progress in conversational data generation, which refers to techniques for creating dialogue datasets (collections of conversations) used to train and improve AI systems. The paper appears to be a comprehensive overview of advances in this field as of July 2026, but no specific technical findings, vulnerabilities, or security issues are described in the provided content.
As generative AI (machine learning systems that create text, images, and other content) becomes better at mimicking human work, people increasingly doubt whether online content is human-made, yet platforms often don't label AI-generated material. The author suggests creating a universal labeling system (similar to Fair Trade certification) that marks human-created content instead, since AI systems have no incentive to identify their own work but human creators do to protect themselves from being replaced.
Fix: Anthropic has been issuing copyright takedown notices to remove copies of the leaked code from GitHub.
Wired (Security)Fix: A request-scoped resolver deduplication mechanism was introduced and applied across all GraphQL read resolvers. When multiple aliases in a single request invoke the same resolver with identical arguments, only the first call executes and all subsequent aliases share its result, eliminating the amplification attack.
GitHub Advisory DatabaseDirectus, a content management system, failed to properly sanitize sensitive data (like user tokens, two-factor authentication secrets, and API keys) before storing them in revision history records. This meant that anyone with access to the revision database table could read these secrets in plaintext, potentially allowing account takeover or unauthorized access to third-party services.
Fix: Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required.
GitHub Advisory DatabaseThe mobile_open_url tool in mobile-mcp doesn't check what type of URL scheme (the protocol prefix like http:// or tel://) it receives before sending it to Android, allowing attackers to use prompt injection (tricking an AI by hiding instructions in its input) to execute dangerous commands like making phone calls, sending SMS messages, or accessing private data on a connected mobile device.
Fix: Upgrade to version 0.0.50 or later, which restricts mobile_open_url to http:// and https:// schemes by default. Users who require other URL schemes can opt in by setting the environment variable MOBILEMCP_ALLOW_UNSAFE_URLS=1.
GitHub Advisory DatabaseThis research examines how attackers could exploit Amazon Bedrock's multi-agent systems (groups of specialized AI agents working together) through prompt injection (tricking an AI by hiding malicious instructions in user input), potentially discovering agent instructions and executing unauthorized tool actions. The study found no vulnerabilities in Bedrock itself, but highlighted a broader LLM challenge: these systems cannot reliably distinguish between legitimate developer instructions and adversarial user input. The research was conducted ethically on owned systems in collaboration with Amazon's security team.
Fix: Enabling Bedrock's built-in prompt attack Guardrail stopped the demonstrated attacks. Additionally, Amazon confirmed that Bedrock's pre-processing stages and Guardrails effectively block these attacks when properly configured.
Palo Alto Unit 42Fix: Fixed in v1.83.0, where the cache key now uses the full hash of the JWT token instead of just the first 20 characters. Alternatively, disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.
GitHub Advisory DatabaseFix: Fixed in v1.83.0. The endpoint now requires `proxy_admin` role. As a temporary workaround, restrict API key distribution, though there is no configuration-level workaround available.
GitHub Advisory DatabaseFix: The source text recommends four mitigation strategies: (1) Use a bounded thread pool (such as ThreadPoolExecutor with max_workers), (2) Introduce per-connection rate limiting, (3) Implement a message queue with backpressure (preventing queue overflow by slowing down senders), or (4) Consider migrating to an async event loop model instead of spawning OS threads. No specific patch version or code fix is provided.
GitHub Advisory Database