All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
HAI Build Code Generator has a feature that automatically runs commands it decides are safe, but researchers found a flaw: attackers can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user permission. This vulnerability allows arbitrary command execution (running any code) on a system by bypassing the safety check.
SakaDev has a feature that automatically runs terminal commands (direct computer instructions) chosen by its AI model, but it can be tricked through prompt injection (hiding malicious instructions in seemingly normal input) to misclassify dangerous commands as safe, allowing attackers to run harmful code without user approval.
This is a brief announcement for datasette-llm version 0.1a3, posted by Simon Willison on March 30, 2026. The source does not provide details about what datasette-llm does, what features it includes, or what issues it addresses.
Fleet has a SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands) in its MDM bootstrap package (the setup files for mobile device management) that allows authenticated admins to corrupt data across teams, steal sensitive information like password hashes and API tokens, and potentially gain higher privileges. The vulnerability only affects instances where Apple MDM is enabled.
Fleet's Apple MDM profile delivery system has a critical second-order SQL injection vulnerability (a flaw where user input is stored safely first, but then later inserted directly into SQL code without protection), allowing an attacker with an enrolled device to steal or modify sensitive database contents like passwords and API tokens. The vulnerability only affects Fleet instances where Apple MDM is enabled, and exploitation requires a valid MDM enrollment certificate.
OpenClaw has a vulnerability where malicious plugins or hooks can execute arbitrary code during installation. An attacker can create a `.npmrc` file (npm's configuration file) in a malicious plugin or hook directory that redirects the git executable to a malicious program, which gets executed when OpenClaw runs `npm install` during the installation phase.
OpenClaw has a security inconsistency where the HTTP endpoint `/v1/models` (which serves OpenAI-compatible requests) accepts bearer authentication but doesn't check operator scopes (permissions that control what actions a user can perform), while the WebSocket RPC path correctly requires the `operator.read` scope. This means someone with only `operator.approvals` permission can bypass the scope requirement and view model metadata through the HTTP route, even though they would be rejected over WebSocket.
OpenClaw has a path traversal vulnerability (CWE-22, a type of attack where an attacker uses special characters like ../ to access files outside their intended directory) that allows sandboxed agents to read files from other agents' workspaces. The vulnerability exists because the sandbox validation function only checks certain parameter keys (media, path, filePath) but misses mediaUrl and fileUrl, which are actually used by messaging extensions. Additionally, a separate function fails to pass the sandbox root restrictions to plugins, allowing them to read the entire ~/.openclaw/ directory instead of just an individual agent's folder.
OpenAirInterface V2.2.0 AMF (a component in 5G networks that manages connections) crashes when it encounters certain malformed messages that it cannot decode properly, though not all decoding failures cause a crash. The vulnerability stems from improper input validation (failing to properly check if incoming data is in the correct format before processing it).
A cross-session information disclosure vulnerability exists in the awesome-llm-apps project where user API tokens are stored in process-wide environment variables without proper isolation. Because Streamlit (a web framework for Python applications) runs multiple users in a single process, credentials entered by one user can be accessed by other users, allowing attackers to steal sensitive tokens like GitHub Personal Access Tokens or LLM API keys.
CrewAI has a vulnerability where it fails to properly verify that Docker (a containerization tool that isolates applications) is still running during execution. When Docker stops, the software falls back to a less secure sandbox setting that can be exploited for RCE (remote code execution, where an attacker runs commands on a system they don't control).
CrewAI contains a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making unwanted requests to other systems) that allows attackers to access content from internal and cloud services. The vulnerability exists because the RAG search tools (a feature that retrieves external documents to help answer questions) do not properly validate URLs that users provide at runtime.
CrewAI has a vulnerability where its JSON loader tool reads files without checking file paths, allowing attackers to access any file on the server. This is called arbitrary local file read, and it happens because the tool doesn't validate (check) which files users are allowed to access.
CrewAI's CodeInterpreter tool has a security flaw where it falls back to SandboxPython when Docker (a containerization system for running code safely) is unavailable, which can allow RCE (remote code execution, where an attacker runs commands on a system they don't own) through arbitrary C function calling.
The Pentagon tried to punish AI company Anthropic by labeling it a supply chain risk (a designation that restricts who can do business with the government) after disagreements over a direct contract, but a California judge blocked this action. The judge found that the government's actions violated proper procedures and were really an attempt to punish Anthropic's ideology rather than address legitimate security concerns, with senior officials making public posts about the dispute before following legal processes.
Fix: Affected Fleet users should upgrade to a patched version. If an immediate upgrade is not possible, temporarily disable Apple MDM or limit admin roles as a workaround.
GitHub Advisory DatabaseFix: Affected Fleet users should temporarily disable Apple MDM if an immediate upgrade is not possible. (No version number or updated release is mentioned in the source.)
GitHub Advisory DatabaseFix: Fixed in OpenClaw 2026.3.24, the current shipping release.
GitHub Advisory DatabaseFix: Fixed in OpenClaw 2026.3.24, the current shipping release. The patch involves: (1) enforcing read scope on `/v1/models` routes before serving the endpoint, (2) reusing the centralized scope-authorization helper function (`authorizeOperatorScopesForMethod(...)`) that WebSocket already uses for HTTP compatibility endpoints to prevent policy drift, and (3) adding regression tests to verify that `operator.approvals` without read is rejected on HTTP `/v1/models` while `operator.read` is accepted on both WebSocket and HTTP.
GitHub Advisory DatabaseFix: Fixed in OpenClaw 2026.3.24, the current shipping release.
GitHub Advisory DatabaseOpenAI patched a vulnerability in ChatGPT that allowed attackers to secretly extract sensitive user data, such as conversation messages and uploaded files, by exploiting a hidden DNS-based communication path (a covert channel using the Domain Name System to send data) in the Linux runtime that the AI uses for code execution. The flaw bypassed ChatGPT's built-in safety guardrails (protections designed to prevent unauthorized data sharing) and could be triggered through malicious prompts or embedded in custom GPTs without triggering any user warnings.
Fix: OpenAI addressed the issue on February 20, 2026, following responsible disclosure (the practice of privately reporting security flaws to a vendor before public release).
The Hacker NewsMajor tech companies including Microsoft, Amazon, and OpenAI have recently released AI health tools that use large language models (LLMs, AI systems trained on massive amounts of text to generate human-like responses) to answer medical questions and access user health records. While these tools are in high demand because many people struggle to access traditional healthcare, researchers emphasize that these products should be independently evaluated by outside experts before wide release, rather than relying solely on companies' own evaluations.
Agentic AI systems (autonomous AI that can retrieve data, invoke tools, and take actions using real permissions) are moving into production, but they introduce unique security risks because failures aren't limited to a single response—they can trigger automated sequences of actions with real-world consequences. The OWASP Top 10 for Agentic Applications (2026) identifies ten key risks in these systems, such as goal hijacking (where an agent's objectives are redirected through injected instructions) and tool misuse (where legitimate tools are exploited through unsafe chaining or ambiguous instructions).
Okta, a company that manages login and security across business applications, is facing pressure from AI tools that could let companies build their own management systems instead of paying for Okta's service. CEO Todd McKinnon says the company is responding by adopting AI and LLMs (large language models, which are AI systems trained on massive amounts of text) to stay competitive and secure, and is focusing on a new opportunity: managing the identity and access of AI agents (automated AI systems that can take actions on their own) within corporations, not just human employees.
Large language models (LLMs, AI systems trained on massive amounts of text) can quickly generate complex access control code in languages like Rego and Cedar, but even small errors, such as a missing condition or a made-up attribute (hallucination, when an AI invents false information), can accidentally weaken an organization's least-privilege security model (a system where users get only the minimum permissions they need).