All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Google is launching Gmail Live, a new AI-powered voice mode feature that lets users speak questions aloud in Gmail instead of typing them. The feature pulls relevant information from a user's inbox to answer questions, such as details about school events or travel plans.
Google is expanding its AI shopping tools by introducing a 'Universal Cart' that lets users add products from different retailers while browsing Google Search and chatting with Gemini (Google's AI assistant), then checkout directly through Google. The cart will also track prices, notify users about stock availability, suggest discounts, and flag potential problems with selected items.
Google Search is being redesigned to better integrate AI features, including AI Overviews (AI-generated summaries at the top of search results) and AI Mode (a chatbot-like search experience). The new search box, powered by Gemini 3.5 Flash model, expands for longer queries and includes AI-powered autocomplete to help refine questions.
Google is making it easier for people to detect deepfakes (synthetic media created by AI to look real) by adding detection tools to Chrome and Search. The tools will check for SynthID, which is invisible watermarking technology that marks images made with Google's AI tools, and C2PA content credentials (metadata that shows how content was created or changed), helping users understand whether online content is authentic or manipulated.
Andrej Karpathy, an AI researcher who co-founded OpenAI and later led Tesla's computer vision team, has joined Anthropic as a senior hire. At Anthropic, he will build a team focused on using Claude (the company's LLM, or large language model, a type of AI trained on text) to improve pretraining research, which helps AI models learn their core knowledge and abilities. This hire is part of Anthropic's ongoing competition with OpenAI to attract top talent in the AI field.
A domain allowlist (list of approved websites) in the Apify Model Context Protocol server is bypassed because it uses simple string prefix matching instead of proper URL validation. An attacker can create a fake subdomain like `https://docs.apify.com.evil.com/` that passes the check, allowing the tool to fetch arbitrary content from attacker-controlled servers and return it to the AI, which can lead to prompt injection (tricking the AI by hiding instructions in fetched content) and potential account compromise.
This advisory describes a vulnerability in libcrux-ml-dsa (a cryptographic library) where signature verification produces incorrect results on AVX2 platforms (processors with a specific instruction set for fast computation) in certain edge cases. The content provided focuses on explaining how security vulnerabilities are rated and scored, but does not describe the actual technical details of the bug itself.
Envoy AI Gateway has a vulnerability where it improperly parses JSON-RPC messages (a protocol for remote procedure calls) in a case-insensitive way, even though the specification requires case-sensitive matching. This allows attackers to send messages with duplicate fields using different capitalization (like 'name' and 'Name'), causing the gateway to alter and forward a different request than what was originally sent, potentially bypassing security checks in systems that use this gateway.
A security flaw in n8n (a workflow automation tool) allowed authenticated users to bypass restrictions on which websites could receive sensitive credentials, potentially exposing them. The vulnerability was in an endpoint (a URL that accepts requests) that didn't properly check the intended security rules before sending data to external servers.
Elon Musk and Sam Altman, two tech billionaires, have been involved in a lengthy legal dispute over OpenAI (an AI company), with Altman winning the case so far. Musk has indicated he plans to appeal the verdict. The trial raised questions about how major technology companies operate and their involvement in the global competition to develop advanced AI systems.
A vulnerability in n8n's `ExecuteWorkflow` node allowed authenticated users to read arbitrary files from the server by bypassing file access restrictions through the REST API (a web-based interface for controlling the software). An attacker could discover if files exist on the server or potentially load and execute workflow files, affecting connected systems.
Caddy has an authorization bypass vulnerability in its `/config` API where the authorization layer and the traversal layer disagree on which object a path refers to. An admin client restricted to `/config/apps/http/servers/srv/routes/0` can access a different array element by requesting `/config/apps/http/servers/srv/routes/01` because the authorization layer uses string prefix matching while the traversal layer parses array indices numerically, causing the request to actually target `routes[1]` instead of `routes[0]`.
The `download_media` and `auth_fetch` tools in auth-fetch-mcp accept any URL without validation, allowing an attacker (via prompt injection or a malicious MCP client) to make the server fetch from private or internal services like cloud metadata endpoints or localhost, and then exfiltrate the response data. The `download_media` tool makes this worse by saving fetched content to disk where it can be read and stolen.
An attacker published malicious code in guardrails-ai version 0.10.1 on PyPI (a package repository where developers download Python libraries), but PyPI removed it within 2 hours and found no evidence that user data was stolen through this compromise. This is an example of a supply chain attack, where someone tries to harm users by corrupting a widely-used software package.
An attacker gained unauthorized access to the OpenSearch Project's CI infrastructure (the automated system that builds and releases code) and injected malware into four versions of the `@opensearch-project/opensearch` package released on May 12, 2026. Any computer that installed these compromised versions between 00:00-10:00 UTC on May 12, 2026 should be considered fully compromised.
Anthropic, an AI company founded about three years ago, topped CNBC's 2026 Disruptor 50 list due to its rapid growth, enterprise focus, and emphasis on safety through constitutional AI (a method designed to make AI systems align with human values). The company's CEO reports 80x revenue growth in the first quarter, and its Claude Code product has gained trust among businesses for handling complex tasks reliably.
Fix: The issue has been fixed in n8n version 2.20.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access to fully trusted users only and limit credential sharing to users who genuinely require access to those credentials, though these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: Upgrade to n8n version 2.20.0 or 2.19.3 or later. If upgrading is not immediately possible, administrators can temporarily restrict workflow creation and editing permissions to trusted users only, and restrict network access to the n8n REST API to trusted users only. However, these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The source text describes the fix shape but does not provide an explicit implementation or version update: 'after URL parsing, resolve to IP, reject if private/loopback/link-local. Same defense as the well-known SSRF-guard pattern shipped by other MCP fetchers in the ecosystem (e.g., `Akitaroh/scraper-mcp` `src/security/url-guard.ts`).' However, no patched version, release number, or completed code fix is provided in the source.
GitHub Advisory DatabaseFix: Downgrade to guardrails-ai==0.10.0, which is unaffected. Alternatively, install from GitHub using `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0`. If you installed 0.10.1, rotate all credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories. Snowglobe and Guardrails Hub users should rotate API keys before 2:00 PM Pacific on May 13, 2026, when all existing keys will be invalidated.
GitHub Advisory DatabaseGitHub is replacing cash bounties with swag rewards for low-impact bug reports and asking researchers to stop submitting low-quality reports, because AI tools have flooded the platform with submissions that don't represent real security risks. The company clarified that many rejected reports describe scenarios where users must actively engage with malicious content (like cloning a malicious repository), which means the security boundary lies with the user's decision to trust that content rather than with GitHub's security controls.
Fix: GitHub requires that all AI-generated submissions must be reviewed and validated by a human first, a rule that applies to any tool used to help with bug hunting. The company also publishes a list of submission types that are ineligible for rewards, which it uses to screen out reports without proof of concept and theoretical attack scenarios that don't hold up under scrutiny.
CSO OnlineFix: Immediately rotate all secrets and keys (like passwords and authentication tokens) from an alternate, uncompromised system. Remove the affected packages from the compromised computer, though this may not eliminate all malicious software already installed. Any computer running the affected versions during the compromise window should be considered fully compromised and handled accordingly.
GitHub Advisory DatabaseGarland is a system for recommendation engines that use graph neural networks (GNNs, which are AI models that learn patterns from interconnected user-item relationships) in federated settings, where data stays on users' devices instead of being sent to one central server. The system addresses a key problem: untrusted servers that help expand users' local data can spy on both item information and user relationships, so Garland uses secret-shared shuffle (a cryptographic technique that mixes data while keeping it encrypted) to protect privacy while still catching if a malicious server tries to cheat.
This newsletter covers several AI industry developments, including Elon Musk losing his lawsuit against OpenAI (a company creating large language models, which are AI systems trained on large amounts of text data) because he sued too late under statutes of limitations rather than on the merits of whether OpenAI violated its nonprofit mission. Other stories include Anduril and Meta developing augmented-reality smart glasses (wearable devices that overlay digital information on the physical world) for military use with eye-tracking controls, and Google preparing to showcase its AI capabilities at its I/O developer conference while facing competition from other AI companies.
OpenAI is improving how people can verify where AI-generated images and audio come from by using multiple approaches: adding C2PA conformance (a cross-industry standard using metadata and cryptographic signatures to attach source information to content), partnering with Google to embed invisible watermarks called SynthID into images, and releasing a public tool to verify if images came from OpenAI. These layered approaches help protect provenance information (details about content's origin and creation) even when it's edited, downloaded, or shared across different platforms.
Fix: The source describes OpenAI's implemented approaches rather than fixes to a problem. OpenAI has: (1) become C2PA Conforming, which gives platforms a 'trusted way to read, preserve, and pass along the provenance information' attached to content; (2) incorporated 'SynthID embeds an invisible watermarking layer that complements C2PA metadata-based approaches,' starting with images from ChatGPT, Codex, or the OpenAI API; and (3) is 'previewing a' public verification tool for users to detect if images came from OpenAI. The source states these approaches are designed to work together: 'C2PA helps content carry detailed context; SynthID helps preserve a signal when metadata does not survive.'
OpenAI Blog