aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6344 items

CVE-2026-27893: vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to versio

highvulnerability
security
Mar 26, 2026
CVE-2026-27893

vLLM (a tool that runs and serves large language models) has a vulnerability in versions 0.10.1 through 0.17.x where two model files ignore a user's security setting that disables remote code execution (the ability to run code from outside sources). This means attackers could run malicious code through model repositories even when the user explicitly turned off that capability.

Fix: Upgrade to version 0.18.0, which patches the issue.

NVD/CVE Database

CVE-2025-53521: F5 BIG-IP Unspecified Vulnerability

criticalvulnerability
security
Mar 26, 2026
CVE-2025-53521🔥 Actively Exploited

Anthropic wins preliminary injunction in DOD fight as judge cites 'First Amendment retaliation'

inforegulatory
policy
Mar 26, 2026

A federal judge granted Anthropic a preliminary injunction, blocking the Trump administration's ban on federal agencies using the company's Claude AI models and its Pentagon blacklisting as a supply chain risk (a designation claiming use of a company's technology threatens national security). The judge ruled the administration's actions constituted First Amendment retaliation for Anthropic publicly disagreeing with the government's contracting decisions, though a final verdict in the case could take months.

David Sacks is no longer the White House AI and Crypto Czar

infonews
policy
Mar 26, 2026

David Sacks, a venture capitalist who served as President Trump's Special Advisor on AI and Crypto, announced he is no longer a special government employee (SGE, a role that allows someone to work part-time for the government while maintaining private sector jobs). His SGE status had a legal limit of 130 days, but questions arose about why he remained in the position for over a year.

Federal judge sides with Anthropic in first round of standoff with Pentagon

infonews
policy
Mar 26, 2026

Anthropic won a temporary legal victory when a federal judge ordered a pause on the Department of Defense's punishment of the company, which had refused to let the military use its Claude AI model in autonomous weapons systems (systems that can make attack decisions without human control). Anthropic claimed the government violated its free speech rights by declaring it a supply chain risk (a company whose products could be exploited to harm national security) and blocking agencies from using its technology.

OpenAI ads pilot tops $100 million in annualized revenue in under 2 months

infonews
industry
Mar 26, 2026

OpenAI has launched an advertising pilot program in ChatGPT that generated over $100 million in annual revenue within two months, working with more than 600 advertisers. The ads appear at the bottom of ChatGPT responses, are clearly labeled, and do not influence the AI's answers or appear near sensitive topics like politics or health. Users under 18 are excluded from seeing ads, and OpenAI reports no negative impact on user trust metrics.

GHSA-ppp5-5v6c-4jwp: Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

highvulnerability
security
Mar 26, 2026
CVE-2026-33894

The Forge library has a vulnerability in its RSA signature verification that allows attackers to forge signatures on keys with low public exponents (like e=3). The flaw occurs because Forge's ASN.1 parser (a format for encoding data structures) doesn't strictly validate the signature structure — it allows extra garbage bytes inside the ASN.1 container and doesn't enforce the required minimum 8 bytes of padding, enabling attackers to construct fake signatures that pass Forge's checks but would be rejected by other cryptographic libraries like OpenSSL.

Preparing for agentic AI: A financial services approach

infonews
securitypolicy

GHSA-7xr2-q9vf-x4r5: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

highvulnerability
security
Mar 26, 2026

OpenClaw has a symlink traversal vulnerability (symlink: a file that points to another file) in two API handlers (`agents.create` and `agents.update`) that use `fs.appendFile` to write to an `IDENTITY.md` file without checking if it's a symlink. An attacker can place a symlink in the agent workspace pointing to a sensitive system file (like `/etc/crontab`), and when these handlers run, they will append attacker-controlled content to that sensitive file, potentially allowing remote code execution. This is an incomplete fix for CVE-2026-32013, which only patched two other handlers but missed these two.

Google is making it easier to import another AI’s memory into Gemini

infonews
industry
Mar 26, 2026

Google Gemini is adding new features that let users transfer their chat history and memory from other AI assistants into Gemini. The "Import Memory" tool works by copying a prompt from Gemini into your previous AI, then pasting the response back into Gemini, while "Import Chat History" lets you export all your past conversations from another AI and upload them to Gemini.

Apple will reportedly allow other AI chatbots to plug into Siri

infonews
industry
Mar 26, 2026

Apple's upcoming iOS 27 update will let users choose which AI chatbot to connect with Siri (Apple's voice assistant), including options like Google's Gemini or Anthropic's Claude downloaded from the App Store. The new feature, called "Extensions," will allow users to enable or disable different chatbots across iPhones, iPads, and Macs, expanding beyond the current ChatGPT integration.

CVE-2026-33623: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contai

mediumvulnerability
security
Mar 26, 2026
CVE-2026-33623

PinchTab v0.8.4, a tool that lets AI agents control Chrome browsers through an HTTP server, has a command injection vulnerability on Windows where attackers can run arbitrary PowerShell commands if they have administrative access to the server's API. The vulnerability exists because the cleanup routine doesn't properly escape PowerShell metacharacters (special characters that PowerShell interprets as commands) when building cleanup commands from profile names.

CVE-2026-33622: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` throug

highvulnerability
security
Mar 26, 2026
CVE-2026-33622

PinchTab is an HTTP server that allows AI agents to control a Chrome browser, but versions 0.8.3 through 0.8.5 have a security flaw where two endpoints (POST /wait and POST /tabs/{id}/wait) can execute arbitrary JavaScript (run code of an attacker's choice in the browser) even when JavaScript evaluation is disabled by the operator. Unlike the properly protected POST /evaluate endpoint, these vulnerable endpoints don't check the security policy before running user-provided code, though an attacker still needs valid authentication credentials to exploit it.

CVE-2026-33621: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` throug

mediumvulnerability
security
Mar 26, 2026
CVE-2026-33621

PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome browser, but versions 0.7.7 through 0.8.4 had incomplete protections against brute-force attacks (rapid repeated requests) on endpoints that check authentication tokens. The middleware (software layer that filters requests) designed to limit requests per IP address was either not activated or had flaws like trusting client-controlled headers, making it easier for attackers to guess weak passwords if they could reach the API.

CVE-2026-33620: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` throug

mediumvulnerability
security
Mar 26, 2026
CVE-2026-33620

PinchTab, an HTTP server that lets AI agents control Chrome browsers, had a vulnerability in versions 0.7.8 through 0.8.3 where API tokens (credentials that prove you're authorized to use the service) could be passed as URL query parameters, making them visible in logs and browser history instead of being kept private in secure headers. This exposed sensitive credentials to intermediary systems that record full URLs, though it only affected deployments that actually used this method of passing tokens.

CVE-2026-33619: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains

mediumvulnerability
security
Mar 26, 2026
CVE-2026-33619

PinchTab v0.8.3, a tool that lets AI agents control Chrome browsers through an HTTP server, has a server-side request forgery vulnerability (SSRF, where the server can be tricked into making requests to unintended targets) in its optional webhook system. When tasks are submitted with a user-controlled callback URL, the server sends an HTTP request to that URL without properly validating it, allowing attackers to make the server send requests to private or internal network addresses.

GHSA-cxmw-p77q-wchg: OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

highvulnerability
security
Mar 26, 2026

Android Canvas WebView pages (web content displayed inside an Android app) from untrusted sources could call the JavascriptInterface bridge (a connection that lets web code run native app commands), allowing attackers to inject malicious instructions into the app. The vulnerability was fixed by validating the origin (where the web content comes from) before allowing bridge calls.

CISA: New Langflow flaw actively exploited to hijack AI workflows

criticalnews
security
Mar 26, 2026

CISA warns that hackers are actively exploiting CVE-2026-33017, a critical vulnerability (rated 9.3 out of 10) in Langflow, an open-source framework for building AI workflows. This code injection flaw allows attackers to execute arbitrary Python code and gain remote code execution (the ability to run commands on a system they don't own) on unpatched systems running version 1.8.1 or earlier, with exploitation beginning just 20 hours after the vulnerability details were made public.

The CISO’s guide to responding to shadow AI

infonews
policysecurity

Google’s ‘live’ AI search assistant can handle conversations in dozens more languages

infonews
industry
Mar 26, 2026

Google is expanding Search Live, an AI search assistant that lets users search the web using their voice and camera to ask questions about physical objects or tasks. The feature, which initially launched in the US, is now available in over 200 countries and territories in dozens of languages, with Google powering this global expansion using its latest technology.

Previous146 / 318Next

F5 BIG-IP APM (a network access management tool) contains an unspecified vulnerability that allows attackers to achieve remote code execution (the ability to run commands on a system they don't own). This vulnerability is actively being exploited by real attackers in the wild, making it an urgent security concern.

Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. Consult F5's official guidelines and the referenced knowledge base articles at https://my.f5.com/manage/s/article/K000156741, https://my.f5.com/manage/s/article/K000160486, and https://my.f5.com/manage/s/article/K11438344 to assess exposure and mitigate risks.

CISA Known Exploited Vulnerabilities
CNBC Technology
The Verge (AI)
The Guardian Technology
CNBC Technology
GitHub Advisory Database
Mar 26, 2026

Financial institutions deploying agentic AI (autonomous AI systems that make decisions and take actions independently) must add AI-specific security controls beyond traditional frameworks like ISO 27001 and NIST, because these systems' autonomous nature and non-deterministic behavior introduce unique risks. The source recommends two critical capabilities: comprehensive observability (clear visibility into what AI agents do and why) and fine-grained access controls (limiting what tools and actions each agent can use), supported by seven design principles including human-AI security homology (applying human oversight rules to AI agents) and modular agent workflow architecture.

Fix: The source provides design principles and implementation guidance rather than explicit patches or updates. It recommends: (1) implementing agent identities with role and attribute-based permissions; (2) adding logging and behavioral monitoring; (3) requiring supervision for critical actions; (4) defining agent scope in workflows; (5) applying segregation of agent duties; (6) using maker-checker verification (where one agent proposes an action and another verifies it); and (7) implementing change and incident management. The source also advises to 'consult with your compliance and legal teams to determine specific requirements for your situation' and notes that 'regulatory requirements establish minimum baselines, but organizational risk considerations often require additional controls.'

AWS Security Blog
GitHub Advisory Database
The Verge (AI)
The Verge (AI)

Fix: Version 0.8.5 contains a patch for the issue.

NVD/CVE Database

Fix: The source states that 'the current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes.' However, the source explicitly notes 'as of time of publication, a patched version is not yet available.'

NVD/CVE Database

Fix: This was fully addressed in v0.8.5 by applying RateLimitMiddleware in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the /health and /metrics exemption so auth-checkable endpoints are throttled as well.

NVD/CVE Database

Fix: This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.

NVD/CVE Database

Fix: This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating callbackUrl during task submission.

NVD/CVE Database

Fix: Update to version 2026.3.22 or later. The fix validates page origin and rejects untrusted bridge calls, with trusted origin and path validation now centralized in CanvasActionTrust.kt.

GitHub Advisory Database

Fix: System administrators should upgrade to Langflow version 1.9.0 or later, which addresses the vulnerability. Alternatively, administrators can disable or restrict the vulnerable endpoint. Endor Labs additionally recommends not exposing Langflow directly to the internet, monitoring outbound traffic, and rotating API keys, database credentials, and cloud secrets if suspicious activity is detected.

BleepingComputer
Mar 26, 2026

Shadow AI refers to AI tools that employees use without approval from their organization, whether these are standalone tools or AI features embedded in existing software that weren't clearly communicated. CISOs (chief information security officers, the executives responsible for an organization's security) need to assess the risks these tools pose, understand why employees are using them, and decide whether to block them or bring them into official company use.

Fix: The source describes a response approach rather than a technical fix: CISOs should (1) assess the specific risk by examining data sensitivity, how the AI provider handles data, and whether a breach occurred, (2) understand why employees are using shadow AI and educate them on risks, (3) check if the organization already has approved tools that meet the same needs, and (4) redirect employees to approved alternatives "with a serious reminder" of approval requirements. The source also notes that organizations with slow AI adoption tend to see more shadow AI use, suggesting faster official adoption may reduce instances.

CSO Online
The Verge (AI)