aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6335 items

GHSA-qh6h-p6c9-ff54: LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

highvulnerability
security
Mar 27, 2026
CVE-2026-34070

LangChain Core has a path traversal vulnerability (a security flaw where attackers can access files outside intended directories using '../' sequences or absolute paths) in legacy functions that load prompt configurations from files. When an application accepts user-influenced prompt configs and passes them to `load_prompt()` or `load_prompt_from_config()`, attackers can read arbitrary files like secret credentials or configuration files, though they're limited to specific file types (.txt, .json, .yaml).

Fix: Update `langchain-core` to version 1.2.22 or later. The fix adds path validation that rejects absolute paths and '..' traversal sequences by default. Users can pass `allow_dangerous_paths=True` to `load_prompt()` and `load_prompt_from_config()` if they need to load from trusted inputs. Additionally, migrate away from these deprecated legacy functions to the newer `dumpd`/`dumps`/`load`/`loads` serialization APIs from `langchain_core.load`, which don't read from the filesystem and use an allowlist-based security model instead.

GitHub Advisory Database

GHSA-8c4j-f57c-35cf: Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

highvulnerability
security
Mar 27, 2026
CVE-2026-34046

Langflow had a vulnerability where the code checking if a user owned a flow was missing when authentication was enabled, allowing any authenticated user to read, modify, or delete flows belonging to other users, including stealing embedded API keys. The fix removes the conditional logic and always checks that the requesting user owns the flow before allowing any operation.

GHSA-3p2m-h2v6-g9mx: @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

highvulnerability
security
Mar 27, 2026
CVE-2026-33989

The @mobilenext/mobile-mcp package has a path traversal vulnerability (a security flaw where an attacker can write files outside the intended directory by using special path characters like `../`) in its `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters are passed directly to file-writing functions without checking if the paths are valid, allowing an attacker to write files anywhere on the system.

GHSA-vphc-468g-8rfp: Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries

highvulnerability
security
Mar 27, 2026
CVE-2026-33980

The Azure Data Explorer MCP Server (adx-mcp-server) has KQL injection vulnerabilities (a type of code injection where untrusted input is inserted into database queries) in three tools that inspect database tables. Because the `table_name` parameter is directly inserted into Kusto queries (Azure's query language) using f-strings without checking or cleaning the input, an attacker or a prompt-injected AI agent can execute arbitrary database commands, including reading sensitive data or deleting tables.

The latest in data centers, AI, and energy 

infonews
policyindustry

GHSA-364x-8g5j-x2pr: n8n has XSS in its Credential Management Flow

mediumvulnerability
security
Mar 27, 2026

n8n, a workflow automation tool, has an XSS vulnerability (cross-site scripting, where malicious code runs in a user's browser) in its credential management system. An authenticated user could hide JavaScript in an OAuth2 credential's Authorization URL field, and if another user clicks the OAuth authorization button, that malicious script executes in their browser session.

GHSA-3c7f-5hgj-h279: n8n has XSS in Chat Trigger Node through Custom CSS

mediumvulnerability
security
Mar 27, 2026

n8n versions before 1.123.27, 2.13.3, and 2.14.1 have a stored XSS (cross-site scripting, where attackers inject malicious code that runs when others visit a page) vulnerability in the Chat Trigger node's Custom CSS field. An authenticated user could bypass the sanitize-html library (a tool meant to remove dangerous code) and inject malicious JavaScript that would affect anyone visiting the public chat page.

GHSA-w673-8fjw-457c: n8n: Authenticated XSS and Open Redirect via Form Node

mediumvulnerability
security
Mar 27, 2026

n8n (a workflow automation tool) has a security flaw where authenticated users can inject malicious code or redirect users through unsanitized form fields, potentially enabling phishing attacks. The vulnerability affects the Form Node feature and requires authentication to exploit.

GHSA-q4fm-pjq6-m63g: n8n has a Stored XSS Vulnerability in its Form Trigger

mediumvulnerability
security
Mar 27, 2026

n8n, a workflow automation platform, has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs when users visit a page) in its Form Trigger node that allows authenticated users to inject harmful scripts into forms. These scripts execute every time someone visits the published form, potentially hijacking form submissions or conducting phishing attacks, though the platform's Content Security Policy (a browser security feature that restricts what scripts can do) prevents direct theft of session cookies.

CVE-2026-4963: A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evalu

mediumvulnerability
security
Mar 27, 2026
CVE-2026-4963

A code injection vulnerability (CVE-2026-4963) was found in huggingface smolagents version 1.25.0.dev0, specifically in functions within the local_python_executor.py file that were supposed to fix a previous vulnerability. An attacker can exploit this flaw remotely by injecting malicious code, and the exploit is publicly available, though the vendor has not responded to disclosure attempts.

CVE-2025-15381: In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not p

highvulnerability
security
Mar 27, 2026
CVE-2025-15381

In MLflow (a machine learning tool for managing experiments), when basic authentication is enabled, certain endpoints that show trace information (a record of how the AI made decisions) and allow users to assess traces are not properly checking user permissions. This means any logged-in user can view traces and create assessments even if they shouldn't have access to them, risking exposure of sensitive information and unauthorized changes.

GHSA-w9f8-gxf9-rhvw: Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories

lowvulnerability
security
Mar 27, 2026
CVE-2026-29071

Open WebUI has an insecure direct object reference (IDOR, a flaw where an app doesn't properly check if a user should access specific data) in its retrieval API that lets any authenticated user read other users' private memories and uploaded files by guessing collection names like 'user-memory-{USER_UUID}' or 'file-{FILE_UUID}'. The vulnerability exists because the API checks that a user is logged in, but doesn't verify they own the data they're requesting.

GHSA-jjp7-g2jw-wh3j: Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite

highvulnerability
security
Mar 27, 2026
CVE-2026-28788

Open WebUI's file batch processing endpoint lacks an ownership check, allowing any authenticated user to overwrite files in shared knowledge bases by knowing their IDs. An attacker can then poison the RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) system, causing the LLM to serve the attacker's malicious content to other users.

Cybersecurity stocks fall on report Anthropic is testing a powerful new model

infonews
industry
Mar 27, 2026

Anthropic is testing a new AI model called Mythos that has advanced cybersecurity capabilities but also poses security risks, causing the company to plan a slow rollout. The announcement led to significant stock price drops for major cybersecurity companies, as investors worry that powerful AI tools could make hacking easier and disrupt the cybersecurity industry.

GHSA-vvxm-vxmr-624h: Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`

mediumvulnerability
security
Mar 27, 2026
CVE-2026-28786

Open WebUI's speech-to-text endpoint has a path traversal vulnerability where an authenticated user can craft a malicious filename to trigger an error that leaks the server's absolute file path. The vulnerability exists because the code doesn't sanitize the filename before using it in a file operation, unlike similar upload handlers elsewhere in the codebase.

CVE-2026-30304: In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute al

highvulnerability
security
Mar 27, 2026
CVE-2026-30304

AI Code has a feature that automatically runs terminal commands (direct instructions to a computer's operating system) if it thinks they're safe, but an attacker can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user approval.

CVE-2026-29871: A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251

highvulnerability
security
Mar 27, 2026
CVE-2026-29871

A path traversal vulnerability (a security flaw where attackers manipulate file paths to access files they shouldn't) exists in the awesome-llm-apps project's Beifong AI News and Podcast Agent backend. An unauthenticated attacker can exploit this weakness in the stream-audio endpoint to read arbitrary files from the server, potentially exposing sensitive data like configuration files and credentials.

In Other News: Palo Alto Recruiter Scam, Anti-Deepfake Chip, Google Sets 2029 Quantum Deadline

infonews
safetyindustry

Agentic GRC: Teams Get the Tech. The Mindset Shift Is What's Missing.

infonews
industry
Mar 27, 2026

GRC professionals (those working in governance, risk, and compliance) have access to agentic AI (AI systems that can autonomously complete full workflows rather than just speed them up), but many hesitate to adopt it because they derive their identity and sense of value from the operational work that these agents would replace. The article argues that GRC was originally designed to help organizations understand and manage risk, not to do evidence collection and compliance tasks, and that agents can't function without human insight to define what success looks like, decide acceptable risk levels, and validate outputs.

Elon Musk’s Grok ordered to stop creating AI nudes by Dutch court as legal pressure mounts

infoincident
safetypolicy
Previous144 / 317Next

Fix: The fix (PR #8956) removes the AUTO_LOGIN conditional and unconditionally scopes all flow queries to the requesting user by adding `.where(Flow.user_id == user_id)` to the database query. This single change covers all three vulnerable operations (read, update, delete) since they all route through the same `_read_flow` helper. A regression test called `test_read_flows_user_isolation` was added.

GitHub Advisory Database
GitHub Advisory Database
GitHub Advisory Database
Mar 27, 2026

Large data centers that power AI systems require massive amounts of electricity and resources, creating conflicts with communities, power grids, and the environment worldwide. Tech companies are expanding these facilities rapidly, leading to legal battles, environmental concerns, and pushback from local communities over issues like electricity costs, water usage, and pollution.

The Verge (AI)

Fix: The issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should limit credential creation and sharing permissions to fully trusted users only, or restrict access to the n8n instance to trusted users only. Note: these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

GitHub Advisory Database

Fix: Upgrade to n8n version 1.123.27, 2.13.3, 2.14.1, or later. If upgrading is not immediately possible, temporarily: (1) restrict workflow creation and editing permissions to trusted users only, or (2) disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully fix the risk and should only be used as short-term measures.

GitHub Advisory Database

Fix: Upgrade to n8n version 1.123.24, 2.10.4, or 2.12.0 or later. If immediate upgrade is not possible, temporary workarounds include: (1) restrict workflow creation and editing permissions to trusted users only, (2) disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable, or (3) disable the Form Trigger node by adding 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable. Note that workarounds do not fully eliminate the risk and are only short-term measures.

GitHub Advisory Database

Fix: The issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.

GitHub Advisory Database
NVD/CVE Database
NVD/CVE Database
GitHub Advisory Database

Fix: Add an ownership verification check before writing files. The source suggests this code: for file in form_data.files: db_file = Files.get_file_by_id(file.id) if not db_file or (db_file.user_id != user.id and user.role != "admin"): file_errors.append(BatchProcessFilesResult( file_id=file.id, status="failed", error="Permission denied: not file owner", )) continue This verifies that only the file's owner or an admin can modify it before the write operation proceeds.

GitHub Advisory Database
CNBC Technology

Fix: The source recommends two fixes: (1) sanitize the file extension using `Path(file.filename).name` and `Path(safe_name).suffix.lstrip(".")` instead of the current `split(".")[-1]` approach, and (2) suppress the internal path from error responses by catching exceptions and returning a generic error message ("Transcription failed") instead of returning the full exception details.

GitHub Advisory Database
NVD/CVE Database
NVD/CVE Database
Mar 27, 2026

This article briefly mentions several security-related news items including a Heritage Bank data breach, a new State Department cyber threat unit, and LA Metro disruptions, along with stories about a Palo Alto recruiter scam, an anti-deepfake chip (technology designed to detect AI-generated fake videos), and Google's quantum computing deadline for 2029. The content provided is minimal and does not go into detail about any of these incidents.

SecurityWeek
BleepingComputer
Mar 27, 2026

A Dutch court has ordered Elon Musk's xAI and its chatbot Grok to stop creating non-consensual AI-generated sexual images of adults and children, with daily fines of 100,000 euros for non-compliance. The ruling came after the non-profit Offlimits reported that Grok generated an estimated three million sexualized images in about two weeks, including over 23,000 depicting children, and found that xAI's previous restrictions on creating such images were easily bypassed. The case adds to mounting legal pressure on xAI, with investigations underway in Europe and lawsuits filed in the United States.

Fix: xAI moved to block Grok from being able to create sexualized images of real people on X in January, with the restriction applying to all users, including paid subscribers. However, the source explicitly states this measure was found insufficient by the court, as Offlimits demonstrated the restrictions were easily bypassed.

CNBC Technology