All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Amazon's AI chief stated that the company has fallen behind OpenAI and Anthropic in developing frontier models (the most advanced AI systems) but plans to compete within the coming year by focusing on better data, architecture, and infrastructure. Amazon is pursuing a two-pronged AI strategy: offering Bedrock, a marketplace where cloud customers can access various AI models, and releasing Nova2, its own competitive AI model that has attracted about 50,000 customers. Additionally, Amazon is developing custom semiconductors (Trainium and Graviton chips) to optimize performance for its AI models, similar to Nvidia's approach.
Dario Amodei (CEO of Anthropic) and Demis Hassabis (from Google DeepMind) met with U.S. and G7 leaders to propose a U.S.-led international coalition for creating rules and standards around AI, citing concerns about powerful AI models with cyber capabilities that could cause major harm if misused. The proposal came after the U.S. government imposed export controls on Anthropic's newest models due to national security concerns, with Amodei suggesting cooperation on controlled access to frontier models (the most advanced AI systems), chip trade restrictions excluding China, and coordinated efforts against AI risks in cybersecurity and bioterrorism.
A Pew Research poll shows that 49 percent of Americans use chatbots occasionally, but 63 percent believe AI is advancing too quickly. Chatbot usage has grown significantly since 2024, with ChatGPT usage doubling since 2023, yet only 16 percent of respondents think AI will have a positive impact on society.
This is a BBC article featuring advice from leaders at Google, Nvidia, and Anthropic about artificial intelligence for students. The content appears to be primarily editorial commentary rather than technical analysis of an AI security issue or vulnerability.
Open WebUI has a security flaw where authenticated users can access other users' files through the `/api/chat/completions` endpoint. When a user sends an image request with a file ID (instead of a web link) in the `image_url` field, the server reads that file from disk without checking if the user owns it, then converts it to a format the AI can process. An attacker can exploit this by using another user's file ID to make the AI read and describe private files, leaking their content.
vLLM's audio transcription endpoint checks the size of compressed audio files but not the decoded output, allowing a decompression bomb attack. A 25MB OPUS file can expand to about 14.9GB of PCM audio (raw, uncompressed audio data) in memory, letting an attacker crash the server by exhausting RAM with just a few requests.
vLLM's fix for an earlier vulnerability (CVE-2026-22778) was incomplete, leaving five code paths in the Anthropic router and speech-to-text API that still leak memory addresses. When users send malformed image data, the PIL library raises an error message containing a BytesIO object's memory address (like `<_io.BytesIO object at 0x7a95e299e750>`), and these five locations pass the error directly to clients without removing the address, defeating ASLR (address space layout randomization, a security feature that randomizes where code lives in memory).
vLLM's GGUF dequantize kernels (specialized functions for decompressing quantized neural network weights) use a 32-bit integer parameter to specify tensor size, which truncates when processing very large tensors. This causes the output tensor to be only partially filled by the processing kernel, leaving the remaining memory uninitialized. In multi-tenant deployments (where multiple users share GPU hardware), this unfilled memory may retain sensitive data from other users' previous requests, leaking their information.
vLLM, an AI framework for running large language models, has three image processing bugs that cause mismatches between what the model sees and what users expect. First, EXIF orientation data (metadata that tells how an image should be rotated) is ignored, so rotated images are processed in the wrong orientation. Second, PNG images with transparency information (the tRNS chunk, which marks certain pixels as see-through) aren't properly flattened to solid colors before processing, causing transparent pixels to become visible or distorted. Third, animated PNG and GIF files only process their first frame. These issues could alter how the model interprets image content.
vLLM has a validation bypass where temperature values set to NaN (not-a-number) or positive Infinity pass all safety checks because comparison operators silently return False for these special float values in Python. These invalid values then reach GPU sampling kernels, causing crashes that take down the inference worker and affect all users running models on it.
n8n had a security flaw where three endpoints that change data in workflow test runs used the wrong permission scope (workflow:read instead of workflow:execute), allowing users with read-only access to start, cancel, and delete test runs they shouldn't be able to modify. This only affected enterprise versions with Advanced Permissions enabled.
Google is releasing its first new smart speaker in six years, called the Google Home Speaker, which begins shipping on June 25th with preorders starting June 17th. The speaker features a round design with touch controls and a light ring indicator, and comes in four color options, with two colors available only in the US.
1Password has acquired Apono, an Israeli company specializing in just-in-time access governance (a system that grants temporary, narrowly scoped permissions that are automatically removed after a task completes), for an estimated $250 million to $300 million. Apono's technology allows organizations to manage access for humans, machines, and AI agents by evaluating each permission request against policy before granting it, and for AI agents specifically, it monitors behavioral drift (unexpected changes in how the AI is acting) to detect misuse. This acquisition helps 1Password extend its identity security platform to provide more comprehensive access control across enterprise tools and cloud services.
Google's Vertex AI SDK for Python had a design flaw that could allow attackers to hijack and poison AI models through bucket squatting (creating cloud storage buckets with names matching those expected by other projects). An attacker who knew a victim's project ID and region could create a bucket with the same name, trick the SDK into uploading models there, replace the model with malicious code, and achieve RCE (remote code execution, where an attacker runs commands on a system they don't control) when the poisoned model was loaded using Python's pickle deserialization (a process that can execute hidden code in specially formatted data).
This article discusses a dispute between the White House and Anthropic (an AI company) over a project called Fable, framed within the context of political factionalism similar to Trump's first presidency. The piece suggests internal government disagreements about AI policy are shaping decisions in frontier AI development (cutting-edge AI research).
Estonia's AI Council is proposing to create government-issued digital identities for AI agents (software programs that perform online tasks on behalf of users), which would specify what actions each agent is allowed to perform, such as viewing data, editing documents, or making payments up to a limit. This approach aims to establish clear accountability by showing who is acting, on whose behalf, and with what permissions, addressing the risk that AI agents might exceed their intended authority or be misused by others.
Fix: A fix for this vulnerability was merged in pull request #44970 on the vLLM GitHub repository: https://github.com/vllm-project/vllm/pull/44970
GitHub Advisory DatabaseFix: Change the `int k` parameter to `int64_t k` in the `to_cuda_ggml_t` function pointer type declaration at `ggml-common.h:1067`. The source text states: "This is a single root cause -- the `int` type on the `k` parameter in `to_cuda_ggml_t` -- with a single fix: change `int k` to `int64_t k`. All dequantize functions inherit this type through the same typedef."
Hugging Face Security AdvisoriesFix: A fix was merged in vLLM pull request #44974 (https://github.com/vllm-project/vllm/pull/44974). The source text does not provide specific details about what changes were made in that fix.
GitHub Advisory DatabaseFix: Add a `math.isfinite(self.temperature)` check in the `_verify_args()` function to reject non-finite float values with a 400 error. A fix was merged in https://github.com/vllm-project/vllm/pull/45116
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.55, 2.25.7, or 2.26.2 or later. As temporary workarounds if upgrading immediately is not possible: restrict project membership to fully trusted users only, or avoid granting viewer access to projects containing sensitive workflows (though these do not fully remediate the risk).
GitHub Advisory DatabaseAnthropic, an AI company that has publicly advocated for government regulation of AI safety, received an export control directive from the Trump administration ordering it to suspend access to its latest Claude models (Fable 5 and Mythos 5) to foreign nationals, citing national security concerns. The directive was reportedly prompted by concerns that Amazon researchers had used prompts to get Fable 5 to generate information that could help with cyberattacks, and Anthropic disagreed with the suspension, calling it a 'misunderstanding' and characterizing it as not adhering to transparent, fair processes.
Tenet Security is a new startup that detects and stops dangerous behavior from AI agents (autonomous software systems that can make decisions and take actions on their own) in real time. The company uses a patent-pending technology with a lightweight runtime sensor that monitors operating system behavior, network calls, and the agent's reasoning, then predicts and blocks harmful actions before they happen. Tenet addresses a growing security gap where traditional tools cannot detect when malicious actors manipulate AI agents (a threat called 'agentjacking') or when agents malfunction on their own.
Fix: Google modified the affected workflow so that staging buckets are now validated before use, preventing attackers from registering bucket names that could be mistaken for resources belonging to other projects. The fixes were deployed in SDK versions 1.144.0 and 1.148.0, and users must upgrade to either of the patched versions.
CSO OnlineAI systems are now widely used in business for tasks like writing, coding, and automating workflows, but existing safety review processes weren't designed for this real-world deployment. An AI system can pass tests in controlled environments yet still fail or behave unpredictably when used in actual production (real work scenarios with actual data and users).
The US government disclosed 3,611 active or planned uses of AI across federal agencies, a 70% increase from the previous administration, including controversial applications like using AI to assess prisoner misconduct risk before violations occur and monitoring veterans' crisis calls to predict suicide risk. While some AI uses in government could theoretically be implemented responsibly, the disclosure provides minimal details about how these systems actually work, and public consultation is largely absent, making it difficult for citizens to understand or scrutinize these programs.