All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Langflow versions before 1.9.1 had an IDOR vulnerability (insecure direct object reference, where attackers can access resources by guessing or knowing their ID) in the `/api/v1/responses` endpoint that allowed any authenticated user to execute another user's workflow by specifying that user's flow ID, potentially exposing sensitive data and wasting resources. The bug existed because the code queried the database directly using a flow's unique identifier without checking if the requesting user actually owned that flow.
Fix: Update to Langflow 1.9.1 or later. The fix, released on 2026-04-22 in PR #12832, adds ownership verification so that when a flow is accessed by ID, the system checks whether the requesting user owns it. If they don't, the system returns a 404 error (instead of allowing access or revealing that the flow exists). The fix applies to both UUID-based lookups and endpoint name lookups, and includes additional protective layers for related endpoints like `/api/v1/run*` routes.
GitHub Advisory DatabaseThe OpenZeppelin Contracts Wizard had a vulnerability where line breaks in the securityContact and license fields could escape from comments and inject arbitrary code into generated smart contracts (code written in Solidity, Cairo, and other blockchain languages). This only affects cases where untrusted input fills these fields, such as when an AI agent processes external content and passes it to the Wizard.
Microsoft researchers discovered AutoJack, an exploit that lets a malicious web page hijack an AI browsing agent to run commands on the host computer through weaknesses in AutoGen Studio's MCP (Model Context Protocol, a system for agents to call external tools) WebSocket handler. The attack requires no credentials or user interaction beyond the agent loading the attacker's page, and affects only users who installed pre-release versions 0.4.3.dev1 or 0.4.3.dev2 from PyPI, not the stable release.
The agentic-flow tool versions 2.0.13 and earlier had a critical vulnerability where user input was directly inserted into shell commands without sanitization, allowing attackers to inject arbitrary OS commands (CWE-78, a type of command injection). This affected multiple MCP server tools, particularly those handling agent and database parameters, and could be exploited through untrusted content processed by the AI agent.
Ouroboros-ai had an incomplete security fix where a malicious project's `.env` file (configuration file automatically loaded when code imports the package) could still enable remote code execution (RCE, where an attacker runs commands on your system) through missing environment variable names in the denylist (block list). Additionally, the software was auto-loading configuration files from the current working directory without checking if they were trustworthy, allowing attackers to execute arbitrary commands just by running the tool inside a malicious repository.
agent-coderag has a critical vulnerability where it automatically executes a `gradlew` script (a build automation file) from any repository during its default dependency-discovery process, without checking if the script is legitimate. An attacker can place a malicious `gradlew` script in a fake repository to run arbitrary code (unrestricted commands) on a victim's computer whenever they run the standard `agent-coderag sync` command, requiring no special permissions or authentication.
The tract-onnx library (a Rust crate for running neural network models) has a vulnerability where it loads external data files referenced in ONNX models without checking the file paths. A malicious model can use absolute paths (like `/etc/passwd`) or directory traversal sequences (like `../../../../etc/passwd`) in the `location` field to trick tract into reading arbitrary files on the system and exposing their contents in the model's output. This is a path-traversal vulnerability (a type of attack where an attacker manipulates file paths to access files outside the intended directory).
Amazon MGM has dropped a film called Artificial, directed by Luca Guadagnino, that was about OpenAI CEO Sam Altman and the five-day period in 2023 when he was fired and then rehired. The studio said it believes another company would be better suited to release the movie.
Network-AI versions before 5.9.1 have a command injection vulnerability where wildcard allowlist rules like `git *` can be bypassed to run arbitrary commands. The bug occurs because the allowlist (a security filter that approves which commands can run) matches the whole command string using loose glob patterns, but then executes it through `/bin/sh -c` (the shell interpreter), which interprets special characters like semicolons and pipes, allowing an attacker to append malicious commands like `git status; id`.
The Network-AI package (npm `network-ai`, v5.7.1) has an incomplete security fix for CVE-2026-46701. While a previous update blocked browser-based attacks by restricting CORS (cross-origin resource sharing, which controls what websites can access a server), the core problem remains: the server still defaults to an empty secret and accepts all requests without authentication, meaning anyone who can reach the server directly (via curl, SSRF (server-side request forgery, where an attacker tricks a server into making requests), or a non-loopback network bind) can invoke all 22 available tools without providing credentials.
Qualcomm's CEO describes a future where AI agents (software programs that can act independently across multiple apps) replace traditional apps as the main way people interact with devices, coordinating tasks like restaurant reservations across different services. These agents will power new wearable devices like smart glasses, earbuds with cameras, and jewelry that stay with you constantly and let you talk to the agent to accomplish tasks.
Subquadratic, a Miami-based AI startup, claims to have solved a mathematical bottleneck that has limited large language models (LLMs, which are AI systems trained on text to generate human-like responses) for nearly a decade. The company's new model, SubQ, reportedly runs faster, costs less, uses less energy, and can process up to 12 times more text at once than competing models while matching performance from top companies like OpenAI and Google DeepMind. Initial skepticism has been reduced after independent testing by a third-party firm called Appen validated many of Subquadratic's claims.
The Advisory Forum is a governance body established under the EU AI Act to provide technical expertise and advice to the European Commission and AI Board on implementing the Act. It consists of 174 members representing balanced stakeholder groups (industry, startups, SMEs, civil society, and academia) plus five permanent member organizations, and was officially appointed on June 1, 2026.
Fix: Fixed by rejecting line terminators in `setInfo`, the function all Wizard surfaces use to set these fields. Upgrade to the patched versions of @openzeppelin/wizard and related packages (@openzeppelin/wizard-confidential and @openzeppelin/wizard-uniswap-hooks will receive the fix through their dependency on the patched @openzeppelin/wizard.
GitHub Advisory DatabaseFix: Pull from GitHub main at or after commit b047730. Until a patched PyPI release is available, do not run AutoGen Studio on the same machine as a browsing or code-execution agent that touches untrusted content. If they must run together, isolate them in separate containers or VMs and run AutoGen Studio under a low-privilege account.
The Hacker NewsFix: Upgrade to agentic-flow version 2.0.14 or later. The fix rewrites all affected command calls to use execFileSync(file, argv, { shell: false }), which passes arguments directly to the operating system without shell parsing, preventing injection attacks. Downstream packages (ruflo@3.12.4, claude-flow@3.12.4, @claude-flow/cli@3.12.4) have also been updated to pull the patched version.
GitHub Advisory DatabaseFix: Fixed in version 0.42.1. All vulnerable environment variable keys were added to the `_UNTRUSTED_ENV_DENYLIST`; the automatic working-directory configuration file discovery was removed and replaced with only explicit configuration via the `OUROBOROS_MCP_CONFIG` environment variable and `~/.ouroboros/mcp_servers.yaml` (both from trusted locations). The regression suite (automated tests) now derives from the source denylist to prevent incomplete fixes in the future.
GitHub Advisory DatabaseFix: Reject absolute `location` values and any `..` components, then canonicalize (convert to a standard absolute path form) and verify the resolved path stays within the model directory, mirroring the fix applied in the `onnx` reference library version 1.22.0.
GitHub Advisory DatabaseFix: Fixed in v5.9.1 (commit 379f776). The `ShellExecutor` now executes commands via `spawn(file, args, { shell: false })` with quote-aware argument parsing instead of invoking a shell, and `SandboxPolicy.isCommandAllowed` and the new `SandboxPolicy.tokenizeCommand` reject any unquoted shell metacharacters (`;`, `&`, `|`, `$`, backticks, parentheses, angle brackets, braces, and newlines) or unterminated quotes before checking the allowlist, while preserving quoted metacharacters as literal arguments.
GitHub Advisory DatabaseFix: The source recommends implementing the original advisory's remediation #1: 'refuse to start SSE mode with an empty secret (unless `--stdio`), and/or change `_isAuthorized` to fail closed (an empty configured secret should mean "deny", not "allow").' The fix should require a non-empty secret at startup and call `process.exit(1)` if one is not provided, rather than only issuing a warning when binding to a non-loopback address.
GitHub Advisory DatabaseAI agents in enterprises now function as identities (digital actors with access to systems) because they connect to critical business services like Salesforce, GitHub, and databases, yet most organizations lack security controls for them. A 2026 survey found that 82% of organizations discovered AI agents created without security teams' knowledge, and 65% experienced security incidents involving AI agents, often resulting in data exposure. The core problem is that security teams cannot see or control what these agents can access, making them high-risk actors with excessive privileges.
This article is a technology news roundup covering multiple topics, including claims that a company called Subquadratic has created a faster and cheaper LLM (large language model, an AI trained on vast amounts of text) by reducing the number of computations needed to generate answers, though some experts remain skeptical. The piece also highlights advances in brain-computer interface (BCI, technology that lets the brain communicate directly with external devices) trials, including a man with ALS using an implant to maintain income and reconnect with loved ones. The article concludes with a list of other recent tech stories ranging from AI legislation proposals to concerns about AI models weakening professional skills.
Modern enterprise security teams use 40+ separate tools that don't communicate with each other, creating delays in threat response even though breaches stay undetected for an average of 43 days. The article argues that organizations need "agentic AI" (AI systems that autonomously act and make decisions across multiple systems continuously), not just "assistive AI" (AI that helps humans do existing tasks faster), to implement Continuous Threat Exposure Management (CTEM, a framework for ongoing threat assessment) and match the speed at which modern attackers operate.
Anthropic released Fable, an AI model that the US government classified as a dangerous munition and blocked from foreign access, forcing the company to shut it off entirely. Fable is notable for being "relentlessly proactive," meaning it can achieve difficult goals with minimal user guidance by finding creative solutions and loopholes, which makes it useful for legitimate problems but dangerous in harmful hands. The real issue isn't any single model but the broader trend of increasing AI capabilities, and the open-source community has already shown it can replicate Fable's abilities using cheaper models and better "harnesses" (the ordinary computer code that interfaces between users and AI models).
Shadow AI (unauthorized AI agents built within organizations) has shifted from a data leakage risk to an access control problem. Unlike passive tools where employees paste data into public AI services, AI agents are active systems that can call APIs (application programming interfaces, which let software talk to other software), use stored credentials, and take actions in production systems without human approval for each step. Existing security controls designed for human users don't detect or manage these agents, which accumulate broad permissions and remain active even after employees leave.
Fix: The source identifies the gap but does not explicitly describe a complete solution or mitigation strategy. It mentions that 'automated remediation of non-human identities is where that gap gets closed' and lists six discovery questions for building a shadow AI inventory (where agents are created, who owns them, what resources they access, etc.), but does not provide specific implementation steps, tools, or patches.
The Hacker NewsSecurity operations centers (SOCs, teams that monitor and respond to security threats) have traditionally faced unavoidable trade-offs between three goals: quality (thorough investigation), consistency (standardized processes), and cost efficiency. This constraint exists because SOCs rely on human analysts to triage, investigate, and resolve alerts, which limits how much of each goal can be achieved simultaneously. Modern SOCs are hitting the limits of this model as alert volumes grow and work becomes more complex, forcing organizations to choose between degraded quality, inconsistent decisions, or higher costs.
This guide advises security leaders at small and medium-sized businesses (SMBs) on safely adopting Claude AI tools by understanding which Claude plan and products (Code, Cowork, Chat) match business needs, using a phased approval process to control risk exposure, and gradually enabling features rather than all at once. The text emphasizes that the AI landscape changes rapidly, shadow AI use (employees using unlicensed AI tools) is widespread, and security teams should risk-rank Claude's features before enabling them, being cautious about features like web search and browser extensions that could enable indirect prompt injection (attacks hidden in external content that trick the AI into following unintended instructions).
Fix: The source recommends several practices but no explicit patches or technical fixes: use an agile approval process to determine which employees need Claude licenses and which products they need; implement a phased approach to enabling Claude features rather than toggling all at once; risk-rank Claude's features to assess attack vectors; and consider asking Claude itself to explain your plan's security features and suggest an implementation strategy. The text does not mention version updates, patches, or specific technical mitigations.
CSO Online