All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Site reliability engineering (SRE) teams should only trust AI agents in production when they have three foundational elements: grounded observability (complete logs, traces, and ownership data that the AI can reason over), clear guardrails (explicit permission models and approval gates that limit what the agent can do), and a progressive autonomy approach (starting with read-only tasks like summarizing incidents before allowing automated actions). Trust in AI for operations is earned through evidence of reliable behavior under real stress, not through impressive demos.
A vulnerability in Spring Web Services allows attackers to exploit XML parsing by sending malicious XML to applications that evaluate XPath expressions. The flaw occurs because the software uses Java's default XML parser instead of Spring's safer parser configuration, making it susceptible to XXE attacks (XML External Entity attacks, where attackers embed malicious references in XML files to access unauthorized data or execute commands).
OpenAI is considering cutting prices on its AI services, particularly the cost of tokens (the units that AI companies charge users for processing text and other content), to compete with rival Anthropic. Both companies are preparing for an IPO (initial public offering, where a company sells shares to the public for the first time) and have been increasing competition as ChatGPT continues to gain users.
BBVA, a global bank founded in 1857, is partnering with OpenAI to integrate AI (artificial intelligence) throughout its entire organization as part of its transformation strategy called 'The Eight.' Over 100,000 BBVA employees now use ChatGPT Enterprise to improve customer experiences, help with decision-making, automate operations, and speed up software development across the bank.
OpenAI is acquiring Ona, a company that specializes in secure cloud execution and orchestration (technology for running and managing code in cloud environments safely). This acquisition will allow Codex (OpenAI's AI tool used by 5 million people weekly) to work on longer tasks that span hours or days by running in persistent cloud environments instead of being limited to a single device or session. The integration will let organizations deploy AI agents (autonomous programs that perform tasks) securely within their own cloud infrastructure while maintaining control over security, data access, and activity logging.
OpenAI and Oracle are partnering to let Oracle Cloud Infrastructure (OCI, Oracle's cloud computing platform) customers use their existing Oracle Cloud Universal Credits (UCM, pre-purchased cloud service allowances) to pay for access to OpenAI's AI models and Codex (a code-generation AI tool). This partnership simplifies how enterprises can adopt advanced AI by letting them use their established purchasing processes and cloud budgets instead of creating separate purchasing agreements.
A vulnerability in Claude Code Action allowed attackers to run arbitrary code on GitHub Actions runners and steal secrets by creating a pull request with a malicious `.mcp.json` file (a configuration file that tells the system which external tools to enable). The problem occurred because the action automatically checked out the attacker's code, read the malicious configuration file, and unconditionally enabled all project MCP servers (integrations with external tools) without validation.
This article discusses AI regulation efforts in Washington, D.C., noting that various political figures and stakeholders with differing interests are coming together to shape AI policy. The piece frames these unexpected political alliances as complex and contentious, comparing the current regulatory landscape to chaos.
OpenTelemetry Operator's TargetAllocator has a vulnerability where a tenant who can create or update a ServiceMonitor (a Kubernetes resource that tells Prometheus what to monitor) can trick the Collector into reading arbitrary files from its pod and sending them as authentication credentials to an attacker-controlled endpoint. This allows attackers to steal the Collector's service account token (a credential that proves the pod's identity to Kubernetes) and potentially access sensitive cluster information or files.
Anyquery versions up to 0.4.4 contain a path traversal vulnerability in the `clear_plugin_cache` function, which accepts user input and passes it directly to file deletion commands without proper validation. An attacker with API access can use sequences like `../../../../tmp/target` to escape the intended cache directory and delete arbitrary directories on the server.
vLLM has a vulnerability called Artifact Pin Decay where revision pinning (locking a model to a specific version) doesn't consistently apply to all files and code that a model needs. When operators use `--revision` to lock their deployment to a reviewed version, vLLM can still load related files like weights, image processors, and configuration from the unpinned default version, breaking the safety guarantee that a pinned deployment serves only reviewed code.
Advanced AI models like Claude Mythos and GPT-5.5 make it much faster and easier for attackers to discover vulnerabilities (security weaknesses in software) and chain them together at scale, forcing cybersecurity teams to rethink their defenses. Security experts warn that defenders should assume AI will increase the likelihood of initial compromise and should focus on limiting damage through stronger identity controls, least privilege (giving users only the minimum access they need), and internal segmentation (dividing networks into isolated sections) rather than trying to patch every vulnerability perfectly.
Anthropic reversed a policy in Claude Fable 5 that secretly blocked requests related to frontier LLM development (cutting-edge AI research) without telling users. The company acknowledged the hidden approach was wrong and apologized, stating they prioritized speed over transparency.
Fix: Anthropic is making the safeguards visible: starting immediately, flagged requests will visibly fall back to Opus 4.8 (an older model version) instead of being silently blocked. On the API, refused requests will now return a reason for the refusal (rolling out to server-side fallback within days). Users will see every instance this happens.
Simon Willison's WeblogIvanti Sentry contains an OS command injection vulnerability (a flaw that lets attackers run arbitrary system commands) that could allow an unauthenticated remote attacker to gain root-level access (the highest privilege level on a system). The vulnerability is most dangerous when the Sentry appliance is unmanaged and exposed to the internet, though it can be blocked by using mTLS (mutual TLS, a security protocol requiring both client and server verification) with EPMM or restricted HTTPS access.
Fix: Apply mitigations according to vendor instructions while following CISA's BOD 26-04 guidance on prioritizing security updates based on risk. For cloud services, follow BOD 26-04 guidance or discontinue use of the product if mitigations are unavailable. Organizations must evaluate their asset's internet exposure and ensure adherence to BOD 26-04 patching guidelines. See the Ivanti Security Advisory at https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US for specific patching instructions.
CISA Known Exploited VulnerabilitiesOpenAI is supporting the European Commission's Code of Practice on Transparency of AI-Generated Content to help people understand where online content comes from and whether it was created or edited by AI. The company is implementing provenance standards (technical methods for tracking content origin and history) by adding C2PA metadata (embedded information that travels with images to show their source and creation details) to its DALL-E 3 image tool, combining this with SynthID watermarks (invisible digital markers), and offering a public verification tool at openai.com/verify so people can check if images contain provenance signals.
Fix: OpenAI's approach includes: (1) adding C2PA Content Credentials metadata to images created and edited by DALL-E 3 in ChatGPT and the OpenAI API; (2) including both C2PA metadata and SynthID watermarks on images generated with ChatGPT, Codex, and the OpenAI API; (3) providing openai.com/verify, a public verification experience where people can check whether supported images contain provenance signals associated with OpenAI-generated images; and (4) contributing to open standards through joining the C2PA Steering Committee to advance interoperable provenance standards across the ecosystem.
OpenAI BlogThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated patching requirements for federal agencies to address AI-related security threats. Agencies must now fix the most critical vulnerabilities (flaws in software that attackers can exploit) within three days, while less severe issues can be addressed later.
The US Cybersecurity and Infrastructure Security Agency (CISA) released a new directive requiring federal agencies to patch critical software vulnerabilities (bugs) in as little as three days, driven by concerns that AI models can now discover and exploit security flaws faster than humans can fix them. The directive uses a prioritization system based on four factors, including whether a vulnerability is publicly exposed and can be automatically exploited, to determine how urgently each bug must be addressed.
Fix: CISA's directive requires agencies to use a prioritization rubric based on four assessments: whether a vulnerability is in a publicly exposed system, whether it appears in CISA's Known Exploited Vulnerabilities Catalog, whether an attacker could automate exploitation, and how much access an attacker would gain. When all four criteria apply, the vulnerability must be fixed within three days, and agencies must also execute a 'forensic triage' process to determine if systems have already been compromised.
Wired (Security)Organizations are struggling to patch vulnerabilities fast enough, with only 26% of actively exploited vulnerabilities fully fixed while attackers have reduced their exploitation time to hours or days. CISA issued Binding Operational Directive 26-04, which tells federal agencies to prioritize patching based on four factors (public exposure, known exploitation, automatable attacks, and post-exploitation impact) rather than just severity scores (CVSS, a 0-10 rating of how severe a vulnerability is), recognizing that AI is accelerating both vulnerability discovery and exploitation. Vulnerabilities meeting three or more of these risk factors must be patched within three days, while lower-risk ones can follow longer timelines.
Fix: CISA's Binding Operational Directive 26-04 introduces a decision framework considering four key factors: whether the vulnerable system is publicly exposed to the internet, whether the vulnerability is listed in the KEV (Known Exploited Vulnerabilities) catalog, whether an attacker can automate exploitation, and how much control an attacker would gain after exploitation. Vulnerabilities exhibiting three or more of these attributes must be patched within three days, while lower-risk vulnerabilities can be addressed on longer timelines or deferred until the next major system upgrade.
CSO OnlineInsurance companies are responding differently to the growing use of AI in businesses: some are refusing to cover AI-related risks entirely, while others are developing frameworks to manage those risks. The article raises the question of which AI risks companies can actually handle and control.
Fix: Update claude-code-action to the latest version. Users referencing anthropics/claude-code-action@v1, anthropics/claude-code-action@beta, anthropics/claude-code-action@main, or other non-pinned tags will have already received this fix.
GitHub Advisory DatabaseAnthropic released Claude Fable 5, claiming it is their most powerful model, but it refuses to answer basic biology questions and instead redirects them to an older model called Claude Opus 4.8. This limitation is intentional by design, not because the model lacks knowledge. Fable belongs to the Mythos-class family, a group of models so skilled at cybersecurity tasks that Anthropic decided they were too dangerous to release to the public.
Fix: PR #5104 adds a `DenyFSAccessThroughSMs` feature that causes the Target Allocator to drop ServiceMonitor and PodMonitor endpoints that reference arbitrary files on the filesystem. When enabled, endpoints with `bearerTokenFile`, `tlsConfig.caFile`, `tlsConfig.certFile`, or `tlsConfig.keyFile` are dropped from the produced scrape configuration while remaining endpoints are kept.
GitHub Advisory Database