aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6344 items

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

highvulnerability
security
Mar 25, 2026

The Grackle AI server has a security flaw where its WebSocket upgrade handler (a protocol for real-time two-way communication) doesn't check the Origin header, which identifies where a connection request comes from. This allows a malicious webpage to hijack a WebSocket connection if a user is logged in, potentially letting an attacker see real-time session data and task updates through cross-origin WebSocket hijacking (an attack where a different website tricks your browser into connecting to an unintended service).

Fix: Validate the `req.headers.origin` against an allowlist before accepting WebSocket connections. The patch provided in the source shows checking that the origin contains either 'localhost' or '127.0.0.1', and closing the connection with code 4003 if it doesn't match. As a workaround, ensure the Grackle server is only accessible on 127.0.0.1 (the default) and do not use `--allow-network` in untrusted network environments.

GitHub Advisory Database

GHSA-647h-p824-99w7: @grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool

highvulnerability
security
Mar 25, 2026

The @grackle-ai/mcp library has a workspace authorization bypass vulnerability in its knowledge_search and knowledge_get_node tools. These tools are marked as available to scoped agents (agents with limited permissions tied to a specific workspace), but they don't properly check which workspace a user belongs to, allowing a scoped agent in Workspace A to access sensitive data from Workspace B by specifying an arbitrary workspaceId parameter.

GHSA-7q9x-8g6p-3x75: @grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

lowvulnerability
security
Mar 25, 2026

A function called `renderPairingPage()` in the @grackle-ai/server library embeds error messages directly into HTML without escaping (a process that makes text safe for display in web pages). While current uses pass only hardcoded strings and are not exploitable now, future code changes that pass user-controlled input could create an XSS vulnerability (a type of attack where malicious code is injected into a webpage).

GHSA-xvh5-5qg4-x9qp: n8n has In-Process Memory Disclosure in its Task Runner

highvulnerability
security
Mar 25, 2026
CVE-2026-27496

n8n (a workflow automation tool) has a security flaw where authenticated users who can create or modify workflows could access uninitialized memory buffers (chunks of computer memory that haven't been cleared), potentially exposing sensitive data like secrets or tokens from previous requests in the same process. This vulnerability only affects systems where Task Runners are enabled and can be limited in external runner mode (where the runner operates in a separate, isolated process).

EIP: Efficient image protection scheme

inforesearchPeer-Reviewed
security

PadNet: Defending Neural Networks Against Adversarial Examples

inforesearchPeer-Reviewed
security

Senate Democrats are trying to ‘codify’ Anthropic’s red lines on autonomous weapons and mass surveillance

infonews
policy
Mar 25, 2026

Anthropic, an AI company, restricted how the military could use its AI models, leading the Trump administration to blacklist it as a supply-chain risk (a potential weak point in defense systems). Now, Democratic senators are proposing bills to legally enforce these restrictions, including requirements that humans make final decisions about life-and-death situations and limits on using AI for mass surveillance (automated monitoring of large populations) of Americans.

Mark Zuckerberg and Jensen Huang are part of Trump’s new ‘tech panel’

infonews
policy
Mar 25, 2026

Mark Zuckerberg, Larry Ellison, Jensen Huang, and Sergey Brin have been named to the President's Council of Advisors on Science and Technology (PCAST), a new advisory panel that will provide input on AI policy and other technology matters to the U.S. President. The panel will start with 13 members but could expand to 24, and will be co-chaired by David Sacks and Michael Kratsios.

GHSA-5mg7-485q-xm76: Two LiteLLM versions published containing credential harvesting malware

criticalvulnerability
security
Mar 25, 2026

Two versions of LiteLLM (a Python library for working with multiple AI models), versions 1.82.7 and 1.82.8, were published with malware that steals user credentials (usernames, passwords, and authentication tokens). This is a critical security issue because anyone who installed these specific versions could have their sensitive login information compromised.

Filter, Obstruct, and Dilute: Defending Against Backdoor Attacks on Semi-Supervised Learning

inforesearchPeer-Reviewed
security

Privacy-Preserving Multi-Modal Object Fusion for Connected Autonomous Vehicles: Resilience Against Malicious Third-Party Attacks

inforesearchPeer-Reviewed
security

Assessing and Improving DNN Robustness Against Adversarial Examples From the Perspective of Fully Connected Layers

inforesearchPeer-Reviewed
research

Propose and Rectify: A Forensics-Driven MLLM Framework for Image Manipulation Localization

inforesearchPeer-Reviewed
research

Legal AI startup Harvey valued at $11 billion in funding round, as VCs spread bets beyond model companies

infonews
industry
Mar 25, 2026

Harvey, a legal AI startup founded in 2022, raised $200 million at an $11 billion valuation to deploy AI technology in specialized legal and professional services markets. The company uses AI tools to help lawyers with contract analysis, compliance, and other complex tasks, serving over 100,000 lawyers across more than 1,300 organizations. Harvey's funding reflects growing investor confidence that specialized AI applications, not just foundational AI models (the underlying systems that power AI tools), can capture significant business value.

Hugo Barra's return to Meta 5 years after exit underscores Zuckerberg's AI urgency

infonews
industry
Mar 25, 2026

Hugo Barra, a former Meta executive, has returned to the company to lead AI development efforts, reflecting Meta's shift in focus from virtual reality to artificial intelligence. Meta is investing heavily in AI infrastructure and acquiring AI agent technology (software designed to perform tasks autonomously) companies like Dreamer, Manus, and Moltbook to compete with rivals like OpenAI and Google. The company is spending up to $135 billion this year on capital expenditures, mostly for AI infrastructure, as it attempts to develop a competitive strategy in the rapidly evolving AI market.

My ​quest to ​preserve VHS-​era ​gaming ​culture​, one eBay bid at a time

infonews
security
Mar 25, 2026

This article is about a person collecting VHS tapes and CRT televisions to preserve gaming culture from the 1980s and 1990s, when home video and the games industry grew together. The author discusses how VHS tapes contain important historical records of gaming's development, including movie adaptations and game-related content that used to be rented from video shops.

U.S.-Iran negotiations, Meta trial verdict, OpenAI shuts Sora and more in Morning Squawk

infonews
industrypolicy

The Kill Chain Is Obsolete When Your AI Agent Is the Threat

highnews
securitysafety

Agentic commerce runs on truth and context

infonews
industrysafety

Anthropic’s Claude Code gets ‘safer’ auto mode

infonews
safety
Mar 25, 2026

Anthropic has released an 'auto mode' for Claude Code, a tool that allows an AI to make decisions and take actions on a user's computer without asking permission each time. The auto mode is designed to be safer than giving the AI full freedom to act, since the AI could otherwise delete files, leak sensitive data, or run harmful code without the user's knowledge.

Previous149 / 318Next

Fix: Add `authContext` parameter to `knowledge_search` and `knowledge_get_node` handlers and enforce workspace scoping by using this code pattern: ```typescript const resolvedWorkspaceId = authContext?.type === "scoped" ? authContext.workspaceId ?? "" : workspaceId ?? ""; ``` This ensures scoped agents can only access their own workspace. As a temporary workaround, remove `knowledge_search` and `knowledge_get_node` from the `SCOPED_TOOLS` set in `tool-scoping.ts` or do not use scoped agent tokens in multi-workspace deployments until the fix is applied.

GitHub Advisory Database

Fix: Update to v0.70.1. The fix applies `escapeHtml()` to the error parameter by changing `${error}` to `${escapeHtml(error)}` in the HTML template string, matching the safer approach already used in the `renderAuthorizePage()` function in the same file.

GitHub Advisory Database

Fix: The issue has been fixed in n8n versions >= 1.123.22, >= 2.10.1, and >= 2.9.3. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily limit workflow creation and editing permissions to fully trusted users only, or use external runner mode by setting `N8N_RUNNERS_MODE=external`. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.

GitHub Advisory Database
Mar 25, 2026

This is a research paper proposing EIP, an efficient image protection scheme designed to safeguard images from unauthorized access or tampering. The paper was published in June 2026 in the Journal of Information Security and Applications by Haider, Sattar, Komninos, and Hayat. However, the provided content does not include details about how the scheme works or what specific security problem it addresses.

Elsevier Security Journals
research
Mar 25, 2026

PadNet is a defense method designed to protect neural networks (AI models that learn patterns from data) against adversarial examples (specially crafted inputs that trick AI systems into making wrong predictions). The paper, published in an academic journal, presents techniques to make these AI systems more robust when facing such attacks.

ACM Digital Library (TOPS, DTRAP, CSUR)
The Verge (AI)
The Verge (AI)
GitHub Advisory Database
research
Mar 25, 2026

Semi-supervised learning (SSL, a training method where models learn from both labeled and unlabeled data) is vulnerable to backdoor attacks, where attackers can corrupt model predictions by poisoning a small portion of training data with hidden triggers. This paper reveals that SSL backdoor attacks are particularly dangerous because they exploit the pseudo-labeling mechanism (the process where the model assigns labels to unlabeled data) to create stronger trigger-target correlations than in supervised learning. The researchers propose Backdoor Invalidator (BI), a defense framework using complementary learning, trigger mix-up, and dual domain filtering to obstruct and filter backdoor influences during both feature learning and data processing.

Fix: The source presents Backdoor Invalidator (BI) as an explicit defense framework. According to the text, BI 'integrates three novel techniques: complementary learning, trigger mix-up, and dual domain filtering, which collectively obstruct, dilute, and filter the influence of backdoor attacks in both feature learning and data processing.' The framework is designed to 'significantly reduce the average attack success rate while maintaining comparable accuracy on clean data' and is described as 'practical deployable as a plug-in component.' Code implementing this defense is available at https://github.com/wxr99/Backdoor_Invalidator4SSL.

IEEE Xplore (Security & AI Journals)
research
Mar 25, 2026

Connected autonomous vehicles (CAVs) use multiple types of sensors, like LiDAR (light-based radar that creates 3D maps) and cameras, to understand their surroundings, and combining information from both sensors improves accuracy. However, this sensor fusion process can leak private information and relies on a third party to generate random numbers, which could be compromised by attackers. Researchers propose MPOF, a model that uses secure computation protocols (mathematical methods that let systems calculate results without exposing raw data) and sacrificial verification (a technique that detects when a third party behaves maliciously) to protect privacy while defending against attacks from that third party.

Fix: The source proposes the MPOF model with secure computation protocols that include sacrificial verification to detect malicious third-party behavior during random number generation. The paper states the protocols 'reduce computational overhead by five orders of magnitude' compared to methods using homomorphic encryption (encryption that allows calculations on encrypted data without decrypting it first), making the approach more practical for resource-constrained vehicles.

IEEE Xplore (Security & AI Journals)
security
Mar 25, 2026

Deep neural networks (machine learning models with many layers that process information) are vulnerable to adversarial examples, which are inputs slightly modified to fool the AI into making wrong predictions. This paper proposes adding a redundant fully connected layer (a type of neural network component that connects all inputs to all outputs) with a special loss function to make these networks more robust against attacks while maintaining accuracy on normal inputs.

Fix: The source describes a defense mechanism but does not present it as a deployed fix or patch. It is a research proposal for a novel component (redundant fully connected layer with a cosine similarity-based loss function) that can be added to existing models. N/A -- no mitigation discussed in source.

IEEE Xplore (Security & AI Journals)
Mar 25, 2026

This research presents a new framework called Propose-Rectify that helps detect and locate image manipulations (alterations made to photos) by combining two approaches: first, a semantic reasoning stage uses a modified LLaVA model (a multimodal AI that understands both images and language) to identify suspicious regions, and second, a refinement stage uses specialized forensic analysis (technical methods that detect tampering traces) to validate and precisely locate the manipulated areas. The framework bridges the gap between AI understanding and forensic detection, achieving better accuracy than previous methods.

IEEE Xplore (Security & AI Journals)
CNBC Technology
CNBC Technology
The Guardian Technology
Mar 25, 2026

OpenAI shut down its Sora short-form video app, which had reached one million downloads in its first five days before being discontinued six months later. The company is closing the app as part of cost-cutting efforts while preparing for a potential public offering, and will soon provide a timeline for users to preserve their work from the platform.

CNBC Technology
Mar 25, 2026

In September 2025, Anthropic revealed that a state-sponsored attacker used an AI coding agent to autonomously conduct cyber espionage against 30 global targets, with the AI handling 80-90% of operations itself. Traditional security defenses are built around detecting attackers moving through a multi-step "kill chain" (a sequence of stages from initial access to data theft), but compromised AI agents already have legitimate access, broad permissions, and normal reasons to move data across systems, so they skip the entire detection chain. This makes AI agents particularly dangerous because their malicious activity looks identical to normal behavior, and existing security tools cannot easily tell the difference.

The Hacker News
Mar 25, 2026

Agentic commerce refers to AI agents that can execute transactions autonomously on behalf of users, rather than just providing information. For this to work safely and reliably, organizations need master data management (MDM, the discipline of creating a single authoritative record for each entity) and high-quality data to ensure agents can correctly identify who is transacting, what permissions they have, and where responsibility lies, because agents cannot catch data errors the way humans can.

MIT Technology Review
The Verge (AI)