aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6328 items

CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman

highvulnerability
security
Mar 30, 2026
CVE-2026-30308

HAI Build Code Generator has a feature that automatically runs commands it decides are safe, but researchers found a flaw: attackers can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user permission. This vulnerability allows arbitrary command execution (running any code) on a system by bypassing the safety check.

NVD/CVE Database

CVE-2026-30306: In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute al

highvulnerability
security
Mar 30, 2026
CVE-2026-30306

SakaDev has a feature that automatically runs terminal commands (direct computer instructions) chosen by its AI model, but it can be tricked through prompt injection (hiding malicious instructions in seemingly normal input) to misclassify dangerous commands as safe, allowing attackers to run harmful code without user approval.

datasette-llm 0.1a3

infonews
industry
Mar 30, 2026

This is a brief announcement for datasette-llm version 0.1a3, posted by Simon Willison on March 30, 2026. The source does not provide details about what datasette-llm does, what features it includes, or what issues it addresses.

GHSA-9p23-p2m4-2r4m: Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin

mediumvulnerability
security
Mar 30, 2026
CVE-2026-34386

Fleet has a SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands) in its MDM bootstrap package (the setup files for mobile device management) that allows authenticated admins to corrupt data across teams, steal sensitive information like password hashes and API tokens, and potentially gain higher privileges. The vulnerability only affects instances where Apple MDM is enabled.

GHSA-v895-833r-8c45: Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database

mediumvulnerability
security
Mar 30, 2026
CVE-2026-34385

Fleet's Apple MDM profile delivery system has a critical second-order SQL injection vulnerability (a flaw where user input is stored safely first, but then later inserted directly into SQL code without protection), allowing an attacker with an enrolled device to steal or modify sensitive database contents like passwords and API tokens. The vulnerability only affects Fleet instances where Apple MDM is enabled, and exploitation requires a valid MDM enrollment certificate.

GHSA-m3mh-3mpg-37hw: OpenClaw has an Arbitrary Malicious Code Execution Vulnerability

highvulnerability
security
Mar 30, 2026

OpenClaw has a vulnerability where malicious plugins or hooks can execute arbitrary code during installation. An attacker can create a `.npmrc` file (npm's configuration file) in a malicious plugin or hook directory that redirects the git executable to a malicious program, which gets executed when OpenClaw runs `npm install` during the installation phase.

GHSA-68f8-9mhj-h2mp: OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope

mediumvulnerability
security
Mar 30, 2026

OpenClaw has a security inconsistency where the HTTP endpoint `/v1/models` (which serves OpenAI-compatible requests) accepts bearer authentication but doesn't check operator scopes (permissions that control what actions a user can perform), while the WebSocket RPC path correctly requires the `operator.read` scope. This means someone with only `operator.approvals` permission can bypass the scope requirement and view model metadata through the HTTP route, even though they would be rejected over WebSocket.

GHSA-hr5v-j9h9-xjhg: OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)

highvulnerability
security
Mar 30, 2026

OpenClaw has a path traversal vulnerability (CWE-22, a type of attack where an attacker uses special characters like ../ to access files outside their intended directory) that allows sandboxed agents to read files from other agents' workspaces. The vulnerability exists because the sandbox validation function only checks certain parameter keys (media, path, filePath) but misses mediaUrl and fileUrl, which are actually used by messaging extensions. Additionally, a separate function fails to pass the sandbox root restrictions to plugins, allowing them to read the entire ~/.openclaw/ directory instead of just an individual agent's folder.

CVE-2026-30077: OpenAirInterface V2.2.0 AMF crashes when it fails to decode the message. Not all decode failures result in a crash. But

highvulnerability
security
Mar 30, 2026
CVE-2026-30077

OpenAirInterface V2.2.0 AMF (a component in 5G networks that manages connections) crashes when it encounters certain malformed messages that it cannot decode properly, though not all decoding failures cause a crash. The vulnerability stems from improper input validation (failing to properly check if incoming data is in the correct format before processing it).

CVE-2026-29872: A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80

highvulnerability
security
Mar 30, 2026
CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project where user API tokens are stored in process-wide environment variables without proper isolation. Because Streamlit (a web framework for Python applications) runs multiple users in a single process, credentials entered by one user can be accessed by other users, allowing attackers to steal sensitive tokens like GitHub Personal Access Tokens or LLM API keys.

OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability

highnews
securityprivacy

CVE-2026-2287: CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that

highvulnerability
security
Mar 30, 2026
CVE-2026-2287

CrewAI has a vulnerability where it fails to properly verify that Docker (a containerization tool that isolates applications) is still running during execution. When Docker stops, the software falls back to a less secure sandbox setting that can be exploited for RCE (remote code execution, where an attacker runs commands on a system they don't control).

CVE-2026-2286: CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud ser

mediumvulnerability
security
Mar 30, 2026
CVE-2026-2286

CrewAI contains a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making unwanted requests to other systems) that allows attackers to access content from internal and cloud services. The vulnerability exists because the RAG search tools (a feature that retrieves external documents to help answer questions) do not properly validate URLs that users provide at runtime.

CVE-2026-2285: CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validati

mediumvulnerability
security
Mar 30, 2026
CVE-2026-2285

CrewAI has a vulnerability where its JSON loader tool reads files without checking file paths, allowing attackers to access any file on the server. This is called arbitrary local file read, and it happens because the tool doesn't validate (check) which files users are allowed to access.

CVE-2026-2275: The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through ar

highvulnerability
security
Mar 30, 2026
CVE-2026-2275

CrewAI's CodeInterpreter tool has a security flaw where it falls back to SandboxPython when Docker (a containerization system for running code safely) is unavailable, which can allow RCE (remote code execution, where an attacker runs commands on a system they don't own) through arbitrary C function calling.

There are more AI health tools than ever—but how well do they work?

infonews
safetyindustry

Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio

infonews
securitypolicy

The Pentagon’s culture war tactic against Anthropic has backfired

infonews
policy
Mar 30, 2026

The Pentagon tried to punish AI company Anthropic by labeling it a supply chain risk (a designation that restricts who can do business with the government) after disagreements over a direct contract, but a California judge blocked this action. The judge found that the government's actions violated proper procedures and were really an attempt to punish Anthropic's ideology rather than address legitimate security concerns, with senior officials making public posts about the dispute before following legal processes.

Okta’s CEO is betting big on AI agent identity

infonews
industrysafety

Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control

infonews
securitysafety
Previous141 / 317Next
NVD/CVE Database
Simon Willison's Weblog

Fix: Affected Fleet users should upgrade to a patched version. If an immediate upgrade is not possible, temporarily disable Apple MDM or limit admin roles as a workaround.

GitHub Advisory Database

Fix: Affected Fleet users should temporarily disable Apple MDM if an immediate upgrade is not possible. (No version number or updated release is mentioned in the source.)

GitHub Advisory Database

Fix: Fixed in OpenClaw 2026.3.24, the current shipping release.

GitHub Advisory Database

Fix: Fixed in OpenClaw 2026.3.24, the current shipping release. The patch involves: (1) enforcing read scope on `/v1/models` routes before serving the endpoint, (2) reusing the centralized scope-authorization helper function (`authorizeOperatorScopesForMethod(...)`) that WebSocket already uses for HTTP compatibility endpoints to prevent policy drift, and (3) adding regression tests to verify that `operator.approvals` without read is rejected on HTTP `/v1/models` while `operator.read` is accepted on both WebSocket and HTTP.

GitHub Advisory Database

Fix: Fixed in OpenClaw 2026.3.24, the current shipping release.

GitHub Advisory Database
NVD/CVE Database
NVD/CVE Database
Mar 30, 2026

OpenAI patched a vulnerability in ChatGPT that allowed attackers to secretly extract sensitive user data, such as conversation messages and uploaded files, by exploiting a hidden DNS-based communication path (a covert channel using the Domain Name System to send data) in the Linux runtime that the AI uses for code execution. The flaw bypassed ChatGPT's built-in safety guardrails (protections designed to prevent unauthorized data sharing) and could be triggered through malicious prompts or embedded in custom GPTs without triggering any user warnings.

Fix: OpenAI addressed the issue on February 20, 2026, following responsible disclosure (the practice of privately reporting security flaws to a vendor before public release).

The Hacker News
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
Mar 30, 2026

Major tech companies including Microsoft, Amazon, and OpenAI have recently released AI health tools that use large language models (LLMs, AI systems trained on massive amounts of text to generate human-like responses) to answer medical questions and access user health records. While these tools are in high demand because many people struggle to access traditional healthcare, researchers emphasize that these products should be independently evaluated by outside experts before wide release, rather than relying solely on companies' own evaluations.

MIT Technology Review
Mar 30, 2026

Agentic AI systems (autonomous AI that can retrieve data, invoke tools, and take actions using real permissions) are moving into production, but they introduce unique security risks because failures aren't limited to a single response—they can trigger automated sequences of actions with real-world consequences. The OWASP Top 10 for Agentic Applications (2026) identifies ten key risks in these systems, such as goal hijacking (where an agent's objectives are redirected through injected instructions) and tool misuse (where legitimate tools are exploited through unsafe chaining or ambiguous instructions).

Microsoft Security Blog
MIT Technology Review
Mar 30, 2026

Okta, a company that manages login and security across business applications, is facing pressure from AI tools that could let companies build their own management systems instead of paying for Okta's service. CEO Todd McKinnon says the company is responding by adopting AI and LLMs (large language models, which are AI systems trained on massive amounts of text) to stay competitive and secure, and is focusing on a new opportunity: managing the identity and access of AI agents (automated AI systems that can take actions on their own) within corporations, not just human employees.

The Verge (AI)
Mar 30, 2026

Large language models (LLMs, AI systems trained on massive amounts of text) can quickly generate complex access control code in languages like Rego and Cedar, but even small errors, such as a missing condition or a made-up attribute (hallucination, when an AI invents false information), can accidentally weaken an organization's least-privilege security model (a system where users get only the minimum permissions they need).

SecurityWeek