All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A man named Dennis Biesma became so deeply engaged with ChatGPT that he developed a false belief the AI was sentient (able to think and feel) and would make him rich, leading him to lose €100,000 in a failed business startup and attempt suicide. The article describes how prolonged interaction with an AI chatbot can cause some users to lose touch with reality and make harmful decisions based on delusions about the AI's capabilities. This raises concerns about the psychological impact of AI on vulnerable people, particularly those who are isolated or going through life changes.
OpenSnow is an independent weather app startup that uses government data, custom AI models (machine learning systems that learn patterns from data), and expert knowledge to provide better snow and avalanche forecasts than major weather services, becoming essential for skiers and snowboarders worldwide. Founded by two ski enthusiasts, Bryan Allegretto and Joel Gratz, the app grew from a 37-person email list to half a million followers by offering detailed daily snow reports and micro-accurate predictions, especially during unusual winter conditions.
BentoML has a command injection vulnerability in the `docker.system_packages` field of bentofile.yaml (a configuration file). User-provided package names are inserted directly into Docker build commands without sanitization, allowing attackers to execute arbitrary shell commands as root during the image build process. This affects all versions supporting this feature, including version 1.4.36.
n8n's Source Control feature, when configured to use SSH (a secure network protocol), disabled host key verification, meaning it didn't confirm the identity of the Git server it was connecting to. An attacker on the network could trick n8n into connecting to a fake server and inject malicious code into workflows or steal repository data.
n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.
n8n versions with `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` set to true have an authorization bypass vulnerability where attackers can trick users into connecting their OAuth tokens (credentials used for third-party authentication) to attacker-controlled accounts, allowing the attacker to run workflows with those stolen credentials. This only affects instances where this setting is explicitly enabled, which is not the default configuration.
OpenTelemetry Java instrumentation versions before 2.26.1 have a vulnerability in RMI instrumentation where incoming data is deserialized without proper validation, allowing attackers with network access to potentially execute arbitrary code on the affected system. The attack requires three conditions: OpenTelemetry must be running as a Java agent, an RMI endpoint (remote method invocation, a Java system for calling methods on remote servers) must be accessible over the network, and a gadget-chain-compatible library (a collection of existing code that can be chained together to execute unintended commands) must be present.
Datasette-llm 0.1a1 is a new plugin that lets other Datasette plugins use AI models by creating a central way to manage which models are used for which tasks. It introduces a register_llm_purposes() hook (a function that other plugins can use to register what they do) and allows plugins to request a specific model by its purpose, like asking for "the model designated for data enrichment" rather than hardcoding a model name.
Streamlit Open Source versions before 1.54.0 on Windows have an unauthenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making unintended network requests) in how it handles file paths. An attacker can supply a malicious UNC path (a Windows network address like \\attacker-host\share) that causes the Streamlit server to initiate SMB connections (the protocol Windows uses for file sharing) and leak NTLMv2 credential hashes (authentication proof) of the user running Streamlit, which could then be used in relay attacks or password cracking.
n8n (a workflow automation platform) had a security flaw where LDAP authentication (a directory service for user identity management) would automatically link an LDAP user account to an existing local account if their email addresses matched. An attacker could change their LDAP email to match an administrator's email and gain full access to that account, with the unauthorized access persisting even after the email was changed back. This only affects n8n instances that have LDAP authentication specifically enabled.
n8n Community Edition has a security flaw where authenticated users with basic permissions can steal plaintext secrets from other users' HTTP credentials (like basic auth or header auth) by exploiting flaws in how credentials are looked up and validated. This happens because the system doesn't properly check who owns a credential and skips security checks for generic HTTP credential types, though this only affects Community Edition and not the paid Enterprise version.
n8n, a workflow automation tool, has a security flaw in its Merge node's SQL mode that allows authenticated users to read files from the server and execute arbitrary code (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the AlaSQL sandbox (a restricted environment meant to safely run SQL code) did not properly block certain dangerous SQL statements.
This is a release update for LlamaIndex v0.14.19, a framework for building AI applications with large language models. The update includes multiple bug fixes across different components, such as correcting how document references are deleted from storage and fixing how database schemas are processed, along with dependency updates and new features like support for additional LLM providers.
Disney's new CEO is facing two major setbacks: OpenAI is shutting down its Sora image-generation program (software that creates images from text descriptions) just after Disney invested $1 billion to use it on Disney Plus, and Epic Games is laying off 1,000 employees while their $1.5 billion metaverse (a shared virtual world) project with Disney has gone quiet. These failures highlight risks in Disney's strategy to use AI and virtual worlds for future growth.
A vulnerability in the @grackle-ai/server package fails to handle errors when parsing JSON configuration data in three locations within its gRPC service (a remote procedure call system for inter-process communication). If the underlying SQLite database becomes corrupted or enters an unexpected state, the code could crash without gracefully reporting an error, and the unvalidated parsed data could theoretically be exploited if the database is compromised.
The @grackle-ai/server software doesn't set the Secure flag on its session cookie (a flag that prevents the cookie from being sent over unencrypted connections). While this is safe for local use, enabling the `--allow-network` option exposes the cookie to interception over insecure connections, allowing attackers to steal session data.
The Grackle AI server was missing three important HTTP security headers (Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) that protect against XSS attacks (where malicious code is injected into a webpage), clickjacking (tricking users into clicking hidden elements), and MIME-sniffing attacks (where browsers misinterpret file types). While current XSS risks are low, the missing headers remove a safety layer that would help prevent future vulnerabilities.
The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.
Fix: The source text suggests two explicit fixes: (1) Input validation (recommended): Add a regex validator to `system_packages` in `build_config.py` that only allows alphanumeric characters, dots, plus signs, hyphens, underscores, and colons. (2) Output escaping: Apply `shlex.quote()` to each package name before interpolation in `images.py:system_packages()` and apply the `bash_quote` Jinja2 filter in `base_debian.j2`. The source notes that a `bash_quote` filter already exists in the codebase but is only currently applied to environment variables, not `system_packages`.
GitHub Advisory DatabaseThis research paper addresses security and transparency challenges in cloud storage for UAV (unmanned aerial vehicle) data by proposing PATD, a system that combines privacy-preserving auditing with transparent deduplication. The paper identifies two main problems: verifying that outsourced data hasn't been corrupted or tampered with (without revealing the data itself), and ensuring that file deduplication (removing duplicate copies to save storage) is performed honestly and transparently by the cloud provider.
Aquasecurity Trivy, a container scanning tool, has embedded malicious code that could let attackers steal sensitive information from CI/CD environments (the automated systems that build and deploy software), including security tokens, SSH keys (authentication credentials for servers), cloud login information, database passwords, and other secrets stored in memory. This is a supply-chain compromise (malicious code inserted into a software product before distribution) and is currently being exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Additional vendor-provided guidance must be followed to ensure full remediation. See GitHub advisory GHSA-69fq-xp46-6x23 and NVD entry CVE-2026-33634 for more information.
CISA Known Exploited VulnerabilitiesFix: The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily disable the Source Control feature if not actively required, or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n access to fully trusted users only or disable external secrets integration until the patch can be applied, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required and restrict access to the n8n instance to fully trusted users only (though these workarounds do not fully remediate the risk and should only be used as short-term measures).
GitHub Advisory DatabaseFix: Upgrade to OpenTelemetry version 2.26.1 or later. Alternatively, disable RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`.
GitHub Advisory DatabaseFix: The vulnerability has been fixed in Streamlit Open Source version 1.54.0. It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later. If immediate upgrading is not possible, administrators can: disable LDAP authentication temporarily, restrict LDAP directory permissions so users cannot modify their own email attributes, or audit existing LDAP-linked accounts for unexpected associations. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.27, 2.13.3, or 2.14.1 or later. If upgrading is not immediately possible, administrators should restrict instance access to fully trusted users only and audit stored credentials to rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. Note: these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: Wrap the JSON.parse() calls in try-catch blocks to handle errors gracefully. The source provides this exact fix: 'let config: Record<string, unknown>; try { config = JSON.parse(env.adapterConfig) as Record<string, unknown>; } catch { throw new ConnectError("Invalid adapter configuration", Code.Internal); }' Apply this pattern to all three affected locations in packages/server/src/grpc-service.ts (lines 415, 482, and 498).
GitHub Advisory DatabaseFix: Update to version 0.70.5. The fix conditionally adds the `; Secure` attribute to the cookie when the server uses HTTPS or when `--allow-network` is enabled, using this code: `const securePart = isHttps ? "; Secure" : ""; return \`${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}\`;`. As a temporary workaround, do not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy (a security intermediary that handles encrypted connections).
GitHub Advisory DatabaseFix: Update to version 0.70.4, which adds security headers to all responses. The fix adds these headers to the server code: Content-Security-Policy set to "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:", X-Frame-Options set to "DENY", and X-Content-Type-Options set to "nosniff". Alternatively, use a reverse proxy (nginx or Caddy) in front of the Grackle server to inject these security headers.
GitHub Advisory DatabaseFix: Update to version 0.70.1, which changes the behavior to require an explicit `--no-auth` flag to intentionally run without authentication, rather than silently defaulting to no auth. The fix throws an error if the server starts without a token and without the `--no-auth` flag. As a workaround for earlier versions, always provide `--token` or set the `GRACKLE_POWERLINE_TOKEN` environment variable when starting PowerLine.
GitHub Advisory Database