All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
LangChain Core has a path traversal vulnerability (a security flaw where attackers can access files outside intended directories using '../' sequences or absolute paths) in legacy functions that load prompt configurations from files. When an application accepts user-influenced prompt configs and passes them to `load_prompt()` or `load_prompt_from_config()`, attackers can read arbitrary files like secret credentials or configuration files, though they're limited to specific file types (.txt, .json, .yaml).
Fix: Update `langchain-core` to version 1.2.22 or later. The fix adds path validation that rejects absolute paths and '..' traversal sequences by default. Users can pass `allow_dangerous_paths=True` to `load_prompt()` and `load_prompt_from_config()` if they need to load from trusted inputs. Additionally, migrate away from these deprecated legacy functions to the newer `dumpd`/`dumps`/`load`/`loads` serialization APIs from `langchain_core.load`, which don't read from the filesystem and use an allowlist-based security model instead.
GitHub Advisory DatabaseLangflow had a vulnerability where the code checking if a user owned a flow was missing when authentication was enabled, allowing any authenticated user to read, modify, or delete flows belonging to other users, including stealing embedded API keys. The fix removes the conditional logic and always checks that the requesting user owns the flow before allowing any operation.
The @mobilenext/mobile-mcp package has a path traversal vulnerability (a security flaw where an attacker can write files outside the intended directory by using special path characters like `../`) in its `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters are passed directly to file-writing functions without checking if the paths are valid, allowing an attacker to write files anywhere on the system.
The Azure Data Explorer MCP Server (adx-mcp-server) has KQL injection vulnerabilities (a type of code injection where untrusted input is inserted into database queries) in three tools that inspect database tables. Because the `table_name` parameter is directly inserted into Kusto queries (Azure's query language) using f-strings without checking or cleaning the input, an attacker or a prompt-injected AI agent can execute arbitrary database commands, including reading sensitive data or deleting tables.
n8n, a workflow automation tool, has an XSS vulnerability (cross-site scripting, where malicious code runs in a user's browser) in its credential management system. An authenticated user could hide JavaScript in an OAuth2 credential's Authorization URL field, and if another user clicks the OAuth authorization button, that malicious script executes in their browser session.
n8n versions before 1.123.27, 2.13.3, and 2.14.1 have a stored XSS (cross-site scripting, where attackers inject malicious code that runs when others visit a page) vulnerability in the Chat Trigger node's Custom CSS field. An authenticated user could bypass the sanitize-html library (a tool meant to remove dangerous code) and inject malicious JavaScript that would affect anyone visiting the public chat page.
n8n (a workflow automation tool) has a security flaw where authenticated users can inject malicious code or redirect users through unsanitized form fields, potentially enabling phishing attacks. The vulnerability affects the Form Node feature and requires authentication to exploit.
n8n, a workflow automation platform, has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs when users visit a page) in its Form Trigger node that allows authenticated users to inject harmful scripts into forms. These scripts execute every time someone visits the published form, potentially hijacking form submissions or conducting phishing attacks, though the platform's Content Security Policy (a browser security feature that restricts what scripts can do) prevents direct theft of session cookies.
A code injection vulnerability (CVE-2026-4963) was found in huggingface smolagents version 1.25.0.dev0, specifically in functions within the local_python_executor.py file that were supposed to fix a previous vulnerability. An attacker can exploit this flaw remotely by injecting malicious code, and the exploit is publicly available, though the vendor has not responded to disclosure attempts.
In MLflow (a machine learning tool for managing experiments), when basic authentication is enabled, certain endpoints that show trace information (a record of how the AI made decisions) and allow users to assess traces are not properly checking user permissions. This means any logged-in user can view traces and create assessments even if they shouldn't have access to them, risking exposure of sensitive information and unauthorized changes.
Open WebUI has an insecure direct object reference (IDOR, a flaw where an app doesn't properly check if a user should access specific data) in its retrieval API that lets any authenticated user read other users' private memories and uploaded files by guessing collection names like 'user-memory-{USER_UUID}' or 'file-{FILE_UUID}'. The vulnerability exists because the API checks that a user is logged in, but doesn't verify they own the data they're requesting.
Open WebUI's file batch processing endpoint lacks an ownership check, allowing any authenticated user to overwrite files in shared knowledge bases by knowing their IDs. An attacker can then poison the RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) system, causing the LLM to serve the attacker's malicious content to other users.
Anthropic is testing a new AI model called Mythos that has advanced cybersecurity capabilities but also poses security risks, causing the company to plan a slow rollout. The announcement led to significant stock price drops for major cybersecurity companies, as investors worry that powerful AI tools could make hacking easier and disrupt the cybersecurity industry.
Open WebUI's speech-to-text endpoint has a path traversal vulnerability where an authenticated user can craft a malicious filename to trigger an error that leaks the server's absolute file path. The vulnerability exists because the code doesn't sanitize the filename before using it in a file operation, unlike similar upload handlers elsewhere in the codebase.
AI Code has a feature that automatically runs terminal commands (direct instructions to a computer's operating system) if it thinks they're safe, but an attacker can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user approval.
A path traversal vulnerability (a security flaw where attackers manipulate file paths to access files they shouldn't) exists in the awesome-llm-apps project's Beifong AI News and Podcast Agent backend. An unauthenticated attacker can exploit this weakness in the stream-audio endpoint to read arbitrary files from the server, potentially exposing sensitive data like configuration files and credentials.
GRC professionals (those working in governance, risk, and compliance) have access to agentic AI (AI systems that can autonomously complete full workflows rather than just speed them up), but many hesitate to adopt it because they derive their identity and sense of value from the operational work that these agents would replace. The article argues that GRC was originally designed to help organizations understand and manage risk, not to do evidence collection and compliance tasks, and that agents can't function without human insight to define what success looks like, decide acceptable risk levels, and validate outputs.
Fix: The fix (PR #8956) removes the AUTO_LOGIN conditional and unconditionally scopes all flow queries to the requesting user by adding `.where(Flow.user_id == user_id)` to the database query. This single change covers all three vulnerable operations (read, update, delete) since they all route through the same `_read_flow` helper. A regression test called `test_read_flows_user_isolation` was added.
GitHub Advisory DatabaseLarge data centers that power AI systems require massive amounts of electricity and resources, creating conflicts with communities, power grids, and the environment worldwide. Tech companies are expanding these facilities rapidly, leading to legal battles, environmental concerns, and pushback from local communities over issues like electricity costs, water usage, and pollution.
Fix: The issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should limit credential creation and sharing permissions to fully trusted users only, or restrict access to the n8n instance to trusted users only. Note: these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.27, 2.13.3, 2.14.1, or later. If upgrading is not immediately possible, temporarily: (1) restrict workflow creation and editing permissions to trusted users only, or (2) disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully fix the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.24, 2.10.4, or 2.12.0 or later. If immediate upgrade is not possible, temporary workarounds include: (1) restrict workflow creation and editing permissions to trusted users only, (2) disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable, or (3) disable the Form Trigger node by adding 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable. Note that workarounds do not fully eliminate the risk and are only short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: Add an ownership verification check before writing files. The source suggests this code: for file in form_data.files: db_file = Files.get_file_by_id(file.id) if not db_file or (db_file.user_id != user.id and user.role != "admin"): file_errors.append(BatchProcessFilesResult( file_id=file.id, status="failed", error="Permission denied: not file owner", )) continue This verifies that only the file's owner or an admin can modify it before the write operation proceeds.
GitHub Advisory DatabaseFix: The source recommends two fixes: (1) sanitize the file extension using `Path(file.filename).name` and `Path(safe_name).suffix.lstrip(".")` instead of the current `split(".")[-1]` approach, and (2) suppress the internal path from error responses by catching exceptions and returning a generic error message ("Transcription failed") instead of returning the full exception details.
GitHub Advisory DatabaseThis article briefly mentions several security-related news items including a Heritage Bank data breach, a new State Department cyber threat unit, and LA Metro disruptions, along with stories about a Palo Alto recruiter scam, an anti-deepfake chip (technology designed to detect AI-generated fake videos), and Google's quantum computing deadline for 2029. The content provided is minimal and does not go into detail about any of these incidents.
A Dutch court has ordered Elon Musk's xAI and its chatbot Grok to stop creating non-consensual AI-generated sexual images of adults and children, with daily fines of 100,000 euros for non-compliance. The ruling came after the non-profit Offlimits reported that Grok generated an estimated three million sexualized images in about two weeks, including over 23,000 depicting children, and found that xAI's previous restrictions on creating such images were easily bypassed. The case adds to mounting legal pressure on xAI, with investigations underway in Europe and lawsuits filed in the United States.
Fix: xAI moved to block Grok from being able to create sexualized images of real people on X in January, with the restriction applying to all users, including paid subscribers. However, the source explicitly states this measure was found insufficient by the court, as Offlimits demonstrated the restrictions were easily bypassed.
CNBC Technology