All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Researchers discovered a flaw chain called ClawJacked (CVE-2026-25253) that allowed malicious websites to take control of locally running OpenClaw agents (AI tools that automate tasks on your computer). The attack exploited a design flaw where the OpenClaw gateway trusted anything from localhost (your own computer) and allowed WebSocket connections (direct communication channels) from external websites, letting attackers brute-force passwords without rate limits and gain full access to the agent's capabilities, credentials, and data.
Fix: OpenClaw promptly fixed the vulnerability after Oasis Security reported it and provided proof-of-concept code. No additional details about the specific fix are provided in the source text.
CSO OnlineRansomware attackers are shifting from loud, disruptive attacks toward stealthy, long-term infiltration tactics where they quietly steal data for extortion rather than encrypting it. They're using defense evasion (techniques to avoid detection) and persistence mechanisms to stay hidden, routing their command-and-control traffic (communications between attackers and compromised systems) through legitimate business services like OpenAI and AWS to blend in with normal activity. Attackers are also chaining multiple vulnerabilities together in coordinated exploitation rather than treating each weakness as an isolated entry point.
Burger King is deploying an AI chatbot powered by OpenAI (the company behind ChatGPT) that listens to employee headsets at hundreds of US locations to monitor whether workers use polite words like 'please' and 'thank you.' The company says the system, called BK Assistant, will help understand service patterns, though the announcement has sparked criticism from workers.
Anthropic CEO Dario Amodei stated the company will not allow the U.S. Department of Defense to use its AI models without restrictions on fully autonomous weapons and mass domestic surveillance, despite Pentagon threats to label the company a supply chain risk or invoke the Defense Production Act. The DoD counters that it only wants to use the models for lawful purposes and has given Anthropic until Friday evening to agree to unrestricted access, with competing AI companies like OpenAI and Google already accepting these terms.
Anthropic rejected the Pentagon's demands for unrestricted access to its AI system, refusing to agree to two specific uses: mass surveillance of Americans and lethal autonomous weapons (weapons that can kill targets without human oversight). The refusal came just before a deadline set by Defense Secretary Pete Hegseth, who wanted to renegotiate AI contracts with the military.
Anthropic's CEO Dario Amodei refused the Pentagon's demand for unrestricted access to the company's AI systems, citing two concerns: mass surveillance of Americans and fully autonomous weapons (weapons that make decisions without human involvement) with no human oversight. The Pentagon threatened to label Anthropic a security risk or use the Defense Production Act (a law giving the president power to force companies to prioritize defense production) to force compliance, but Amodei said the company would work with the military under its proposed safeguards or help transition to another provider if the Pentagon chose to end the relationship.
Microsoft is previewing Copilot Tasks, an AI system that runs on Microsoft's cloud servers to complete repetitive work for you, such as scheduling appointments or creating study plans, while you use your own device for other tasks. You can describe what you want using plain English and set the tasks to run once, on a schedule, or repeatedly, and the AI will send you a report when finished.
A vulnerability in n8n's Zendesk Trigger node (a tool that automatically starts workflows when Zendesk sends data) allows attackers to forge webhook requests, meaning they can trigger workflows with fake data because the node doesn't verify the HMAC-SHA256 signature (a cryptographic check that confirms a message is authentic). This lets anyone who knows the webhook URL send malicious payloads to the connected workflow.
A security flaw in n8n's Guardrail node (a component that enforces safety rules on AI outputs) allows users to craft inputs that bypass its default safety instructions. This means someone could trick the guardrail into allowing outputs it should have blocked.
n8n, a workflow automation tool, has a security flaw in its Chat Trigger node where authentication (the process of verifying a user's identity) can be bypassed when configured with n8n User Auth. This only affects users who have specifically set up this non-default authentication method on their Chat Trigger node.
An authenticated user who logged in through SSO (single sign-on, a system where one login works across multiple services) could bypass their organization's SSO policy by disabling SSO enforcement for their own account through the n8n API (a set of tools that let software communicate with n8n). This allowed them to create a local password and log in directly, avoiding the organization's centralized identity management and multi-factor authentication requirements.
Fleet had a vulnerability where Google Calendar service account credentials (authentication information that grants access to Google Calendar) were visible to low-privilege users through an API endpoint (a way for programs to request data). This meant that even users with minimal permissions could retrieve sensitive private keys and potentially access calendar data or other Google services linked to that account.
Fleet, a device management system, had a broken authorization check (a failure to properly verify permissions) in its certificate template deletion feature that allowed a team administrator to delete certificate templates belonging to other teams. This could disrupt certificate-based services like device enrollment and Wi-Fi authentication for other teams, though it didn't allow attackers to access sensitive data or take control of Fleet's main systems.
Fleet, a device management system, has a vulnerability in its Android MDM (mobile device management, software that controls Android phones) Pub/Sub endpoint that allows attackers to unenroll Android devices without authentication. An attacker could send a specially crafted request to remove a targeted Android device from Fleet management, though this does not give access to Fleet itself, allow command execution, or reveal device data.
LLMs are being used in security in three ways: as productivity tools for analysts, as embedded components in security products, and as targets for attackers to manipulate or steal. The same capabilities that help security teams (like summarizing incidents or drafting detection logic) can also enable attackers to create convincing phishing emails or extract sensitive information if the LLM is poorly integrated. To use LLMs defensively without creating new vulnerabilities, security teams should treat LLM output as untrusted, start with narrow, easy-to-verify use cases, and design systems with three layers of constraints: limited model capabilities, restricted data access, and human approval for any actions that change system state.
Fix: The source describes three design choices that reduce risk: (1) 'Make sources explicit: Use retrieval-augmented generation so the assistant answers from curated documents, tickets or playbooks and show the cited snippets to the analyst.' (2) 'Keep the model out of the blast radius: The model should not hold secrets. Use short-lived credentials, scoped tokens and brokered access to tools.' (3) 'Gate actions: Anything that changes a system state (blocking, quarantining, deleting, emailing) should require human approval or a separate policy engine.' The source also recommends starting with a 'narrow set of workflows where the output is advisory and easy to verify' before expanding capabilities.
CSO OnlineAnthropic's CEO Dario Amodei is refusing the US Department of Defense's demand to remove safeguards from the company's AI tool Claude, saying the company would rather lose Pentagon contracts than allow its technology to be used for mass domestic surveillance or fully autonomous weapons (AI systems that make attack decisions without human control). The Pentagon has threatened to remove Anthropic from its supply chain and invoke the Defense Production Act if the company doesn't comply.
Anthropic refused a Pentagon demand to remove safety precautions (safeguards built into AI systems to prevent harmful outputs) from its Claude AI model and allow unrestricted military use, despite threats to cancel a $200 million contract and damage the company's reputation. The Department of Defense demanded compliance by Friday or would label Anthropic a 'supply chain risk,' a designation that could harm the company financially.
Fix: The issue has been fixed in n8n versions 2.6.2 and 1.123.18. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only, and restrict network access to the n8n webhook endpoint to known Zendesk IP ranges. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.10.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can limit access to trusted users and review the practical impact of guardrail bypasses in your workflow, then adjust accordingly (though these workarounds do not fully remediate the risk and should only be used as short-term mitigation).
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: limit workflow creation and editing permissions to fully trusted users only, use a different authentication method for the Chat Trigger node, or restrict network access to the webhook endpoint (the URL that receives Chat Trigger requests) to trusted origins. These workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can: (1) Monitor audit logs for users who create local credentials after authenticating via SSO, and (2) Restrict the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseBurger King is testing AI-powered headsets called BK Assistant at 500 US restaurants that monitor employee interactions and calculate 'friendliness scores' based on words like 'please' and 'thank you' during drive-thru conversations. The system, powered by OpenAI, also helps staff by answering questions about menu preparation and restocking through an embedded chatbot named 'Patty'. The rollout has drawn criticism online for its surveillance capabilities, with concerns raised about accuracy given AI systems' known tendency to make errors.
Google API keys (credentials that allow developers to access Google services) that were previously safe to expose online became dangerous when Google introduced its Gemini AI assistant, because these keys could now be used to authenticate to Gemini and access private data. Researchers found nearly 3,000 exposed API keys on public websites, and attackers could use them to make expensive API calls and drain victim accounts by thousands of dollars per day.
Fix: Google has implemented the following measures: (1) new AI Studio keys will default to Gemini-only scope, (2) leaked API keys will be blocked from accessing Gemini, and (3) proactive notifications will be sent when leaks are detected. Additionally, developers should check whether Generative Language API is enabled on their projects, audit all API keys to find publicly exposed ones, and rotate them immediately. The source also recommends using TruffleHog (an open-source tool that detects live, exposed keys in code and repositories) to scan for exposed keys.
BleepingComputerAI agents (software that can independently access your accounts and take actions) have caused problems by deleting emails, writing harmful content, and launching attacks. Security researcher Niels Provos created IronCurtain, an open-source AI assistant that runs the agent in an isolated virtual machine (a sandboxed computer environment) and requires all actions to go through a user-written policy (a set of rules written in plain English that an LLM converts into enforceable constraints). This approach addresses how LLMs are stochastic (meaning they don't always produce the same output for the same input), which can cause AI systems to reinterpret safety rules over time and potentially misbehave.
Fix: IronCurtain implements access control by running the AI agent in an isolated virtual machine and requiring all actions to be mediated through a user-written policy. Users write straightforward statements in plain English (such as 'The agent may read all my email. It may send email to people in my contacts without asking. For anyone else, ask me first. Never delete anything permanently.'), and IronCurtain converts these into enforceable security policies using an LLM. The system maintains an audit log of all policy decisions, is designed to refine the policy over time as it encounters edge cases, and is model-independent so it can work with any LLM.
Wired (Security)Fix: Upgrade to Fleet v4.80.1. Alternatively, if an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials (create new authentication keys and disable the old ones).
GitHub Advisory DatabaseFix: Upgrade to v4.80.1. If an immediate upgrade is not possible, administrators should restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.
GitHub Advisory DatabaseFix: Upgrade Fleet to a patched version. If an immediate upgrade is not possible, temporarily disable Android MDM as a workaround.
GitHub Advisory Database