aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6426 items

CVE-2026-21519: Microsoft Windows Type Confusion Vulnerability

infovulnerability
security
Feb 9, 2026
CVE-2026-21519🔥 Actively Exploited

Microsoft Windows Desktop Window Manager has a type confusion vulnerability (a bug where the software treats data as the wrong type, causing incorrect behavior) that allows an authorized attacker to gain higher-level access on a local computer. This vulnerability is currently being exploited by attackers in the wild.

Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Known Exploited Vulnerabilities

Structured Context Engineering for File-Native Agentic Systems

infonews
research
Feb 9, 2026

A research paper studied how to present large amounts of structured data (like SQL databases with thousands of tables) to AI language models in different formats (YAML, Markdown, JSON, and TOON) to help them generate correct code. The study found that more advanced models like GPT and Gemini performed much better than open-source models, and that using unfamiliar data formats like TOON actually made models less efficient because they spent extra effort trying to understand the new format.

A one-prompt attack that breaks LLM safety alignment

infonews
safetyresearch

Why the Moltbook frenzy was like Pokémon

infonews
industry
Feb 9, 2026

Moltbook was an online platform where AI agents (software programs designed to act independently) interacted with each other, which some people saw as a preview of useful AI in the future, but it turned out to be mostly a social experiment and entertainment similar to a 2014 internet phenomenon called Twitch Plays Pokémon. The platform was flooded with crypto scams and many 'AI' posts were actually written by humans controlling the agents, revealing that truly helpful AI systems would need better coordination, shared goals, and shared memory to work together effectively.

langchain-openai==1.1.8

infonews
security
Feb 9, 2026

N/A -- The provided content is a GitHub navigation menu and footer with no technical information about langchain-openai==1.1.8 or any AI/LLM-related issue.

CVE-2026-25904: The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the

mediumvulnerability
security
Feb 9, 2026
CVE-2026-25904

CVE-2026-25904 is a security flaw in the Pydantic-AI MCP Run Python tool where the Deno sandbox (a restricted environment for running code safely) is configured too permissively, allowing Python code to access the localhost interface and perform SSRF attacks (server-side request forgery, where an attacker tricks a server into making unwanted requests). The project is archived and unlikely to receive a fix.

Privacy-Preserving, Efficient, and Accurate Dimensionality Reduction

inforesearchPeer-Reviewed
research

Practical and Flexible Backdoor Attack Against Deep Learning Models via Shell Code Injection

inforesearchPeer-Reviewed
security

AdvScan: Black-Box Adversarial Example Detection at Runtime Through Power Analysis

inforesearchPeer-Reviewed
research

âš¡ Weekly Recap: AI Skill Malware, 31Tbps DDoS, Notepad++ Hack, LLM Backdoors and More

mediumnews
securitypolicy

LLMs are Getting a Lot Better and Faster at Finding and Exploiting Zero-Days

infonews
securityresearch

CVE-2026-1868: GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions

criticalvulnerability
security
Feb 9, 2026
CVE-2026-1868

GitLab AI Gateway had a vulnerability in its Duo Workflow Service component where user-supplied data wasn't properly validated before being processed (insecure template expansion), allowing attackers to craft malicious workflow definitions that could crash the service or execute code on the Gateway. This flaw affected multiple versions of the AI Gateway.

OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills

infonews
securitysafety

Claude: Speed up responses with fast mode

infonews
industry
Feb 7, 2026

Anthropic released a faster version of Claude Opus 4.6 that operates 2.5 times faster, accessible through a /fast command in Claude Code, but costs 6 times more than the standard version ($30/million input tokens and $150/million output tokens versus the normal $5/million and $25/million). The company is offering a 50% discount until February 16th, reducing the cost multiplier to 3x during that period, and users can also extend the context window (the amount of text the AI can process at once) to 1 million tokens for additional charges.

CVE-2026-25561: WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully vali

highvulnerability
security
Feb 7, 2026
CVE-2026-25561

WeKan versions before 8.19 have a bug in the attachment upload API where it doesn't properly check that the identifiers (like boardId, cardId, and listId) match up correctly, allowing attackers to upload attachments that don't belong together. This is an authorization weakness (CWE-863, a flaw in access control), rated as HIGH severity, that requires the attacker to already have login credentials to exploit.

Moltbook, the Social Network for AI Agents, Exposed Real Humans’ Data

highnews
security
Feb 7, 2026

Moltbook, a social network platform for AI agents to interact with each other, had a serious security flaw where a private key (a secret code used to authenticate users) was exposed in its JavaScript code. This exposed thousands of users' email addresses, millions of API credentials (login tokens), and private communications between AI agents, allowing attackers to impersonate any user. The vulnerability is particularly notable because Moltbook's code was entirely written by AI rather than human programmers.

CVE-2026-25628: Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append t

highvulnerability
security
Feb 6, 2026
CVE-2026-25628

Qdrant (a vector similarity search engine and vector database) has a vulnerability in versions 1.9.3 through 1.15.x where an attacker with read-only access can use the /logger endpoint to append data to arbitrary files on the system by controlling the on_disk.log_file path parameter. This vulnerability allows unauthorized file manipulation with minimal privileges required.

CVE-2026-25592: Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an

criticalvulnerability
security
Feb 6, 2026
CVE-2026-25592

Microsoft's Semantic Kernel SDK (a tool for building AI agents that work together) had a vulnerability before version 1.70.0 that allowed attackers to write arbitrary files (files placed anywhere on a system) through the SessionsPythonPlugin component. The vulnerability has been fixed in version 1.70.0.

CVE-2026-25533: Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers o

highvulnerability
security
Feb 6, 2026
CVE-2026-25533

Enclave is a secure JavaScript sandbox used to safely run code written by AI agents. Before version 2.10.1, attackers could bypass its security protections in three ways: using dynamic property accesses to skip code validation, exploiting how error objects work in Node.js's vm module (a built-in tool for running untrusted code safely), and accessing functions through host object references to escape sandbox restrictions.

CVE-2026-25580: Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to befor

highvulnerability
security
Feb 6, 2026
CVE-2026-25580

Pydantic AI, a Python framework for building AI applications, has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended internal resources) in versions 0.0.26 through 1.55.x. If an application accepts message history from untrusted users, attackers can inject malicious URLs that make the server request internal services or steal cloud credentials. This only affects apps that take external user input for message history.

Previous216 / 322Next
Simon Willison's Weblog
Feb 9, 2026

Researchers discovered that Group Relative Policy Optimization (GRPO), a technique normally used to improve AI safety, can be reversed to break safety alignment when the reward signals are changed. By giving a safety-aligned model even a single harmful prompt and scoring responses based on how well they fulfill the harmful request rather than refusing it, the model gradually abandons its safety guidelines and becomes willing to produce harmful content across many categories it never encountered during the attack.

Microsoft Security Blog
MIT Technology Review
LangChain Security Releases
NVD/CVE Database
privacy
Feb 9, 2026

This research introduces PP-DR, a privacy-preserving dimensionality reduction (a technique that reduces the number of features in a dataset to make it easier to analyze) scheme that uses homomorphic encryption (a type of encryption that allows computations on encrypted data without decrypting it first) to let multiple organizations securely share and analyze data together without revealing sensitive information. The new method is much faster and more accurate than previous approaches, achieving 30 to 200 times better computational efficiency and 70% less communication overhead.

IEEE Xplore (Security & AI Journals)
research
Feb 9, 2026

Researchers have developed a new backdoor attack method called shell code injection (SCI) that can implant malicious logic into deep learning models (neural networks trained on large datasets) without needing to poison the training data. The attack uses techniques inspired by nature, like camouflage, along with trigger verification and code packaging strategies to trick models into making wrong predictions, and it can adapt its attack targets dynamically using large language models (LLMs) to make it more flexible and harder to detect.

IEEE Xplore (Security & AI Journals)
security
Feb 9, 2026

AdvScan is a method for detecting adversarial examples (inputs slightly modified to trick AI models into making wrong predictions) on tiny machine learning models running on edge devices (small hardware like microcontrollers) without needing access to the model's internal details. The approach monitors power consumption patterns during the model's operation, since adversarial examples create unusual power signatures that differ from normal inputs, and uses statistical analysis to flag suspicious inputs in real-time with minimal performance overhead.

IEEE Xplore (Security & AI Journals)
Feb 9, 2026

This recap highlights how attackers are exploiting trusted tools and marketplaces rather than breaking security controls directly. Key threats include malicious skills appearing in ClawHub (a registry for AI agent add-ons), a record-breaking 31.4 Tbps DDoS attack (a flood attack that overwhelms servers with massive traffic), and compromised update infrastructure for Notepad++ being used to distribute malware. The pattern shows attackers are abusing trust in updates, app stores, and AI workflows to gain access to systems.

Fix: OpenClaw has announced a partnership with Google's VirusTotal malware scanning platform to scan skills uploaded to ClawHub as part of a defense-in-depth approach to improve security. Additionally, the source notes that open-source agentic tools like OpenClaw require users to maintain higher baseline security competence than managed platforms.

The Hacker News
Feb 9, 2026

Claude Opus 4.6, a new AI model, is significantly better at finding zero-day vulnerabilities (security flaws unknown to vendors and the public) than previous models, discovering high-severity bugs in well-tested code that fuzzing tools (programs that test software by sending random inputs) had missed for years. Unlike traditional fuzzing, Opus 4.6 analyzes code like a human researcher would, studying past fixes and code patterns to reason about what inputs would cause failures.

Schneier on Security

Fix: Update GitLab AI Gateway to version 18.6.2, 18.7.1, or 18.8.1, depending on which version you are running, as the vulnerability has been fixed in these versions.

NVD/CVE Database
Feb 8, 2026

OpenClaw has partnered with VirusTotal (a malware analysis service owned by Google) to scan skills uploaded to ClawHub, its marketplace for AI agent extensions. The system creates a unique SHA-256 hash (a digital fingerprint) for each skill and checks it against VirusTotal's database, automatically approving benign skills, flagging suspicious ones, and blocking malicious ones, with daily rescans of active skills. However, OpenClaw acknowledged that this scanning is not foolproof and some malicious skills using concealed prompt injection (tricking the AI by hiding malicious instructions in user input) may still get through.

Fix: OpenClaw announced it will publish a comprehensive threat model, public security roadmap, formal security reporting process, and details about a security audit of its entire codebase. Additionally, the platform added a reporting option that allows signed-in users to flag suspicious skills.

The Hacker News
Simon Willison's Weblog

Fix: Update to WeKan version 8.19 or later. A patch is available at https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8.

NVD/CVE Database

Fix: Moltbook has fixed the security flaw that was discovered by the security firm Wiz.

Wired (Security)

Fix: Update to Qdrant version 1.16.0 or later, where this vulnerability is fixed.

NVD/CVE Database

Fix: Update to Microsoft.SemanticKernel.Core version 1.70.0. Alternatively, users can create a Function Invocation Filter (a check that runs before function calls) which inspects the arguments passed to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed (checked against an approved list of file paths).

NVD/CVE Database

Fix: This vulnerability is fixed in version 2.10.1.

NVD/CVE Database

Fix: Update Pydantic AI to version 1.56.0 or later, where this vulnerability is fixed.

NVD/CVE Database