All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
OpenAI is launching a new personal finance feature in ChatGPT that lets Pro users in the U.S. securely connect their bank accounts and ask the AI questions about their spending and financial goals. The feature uses improved AI reasoning (GPT-4.5) to analyze your real financial data alongside your goals, helping you spot spending patterns and plan major decisions, though it is not a replacement for professional financial advice.
Article 50 of the EU AI Act requires organizations to inform users when they interact with AI systems or encounter AI-generated content, with a deadline of August 2026. These transparency obligations apply broadly to any AI system used in four situations: direct interaction with people, synthetic content generation, emotion recognition or biometric categorization, and deepfake or AI-generated text on public matters. Providers must design systems to disclose AI involvement and mark outputs in machine-readable formats, while deployers must inform individuals affected by emotion recognition systems and disclose artificially generated or manipulated content.
Elon Musk is suing OpenAI and its leader Sam Altman, with closing arguments recently heard in federal court in Oakland, California. A nine-person jury will decide whether OpenAI improperly took money or benefits from Musk and enriched itself unfairly. The case has revealed private communications between the two tech leaders and details about OpenAI's internal history.
Hackers from the TeamPCP group stole source code from Mistral AI (a French company that builds large language models, or LLMs) through a supply-chain attack (where attackers compromise software used by many projects) and are now demanding $25,000 to sell it rather than leak it publicly. Mistral confirmed the breach affected some of their SDK (software development kit, tools developers use to build with their platform) packages, but stated that core code, user data, and research systems were not compromised.
Gemini, a crypto exchange founded by the Winklevoss brothers, received a $100 million investment from the founders' venture capital fund, causing its stock price to surge. The company reported better-than-expected financial results for the first quarter, with a smaller loss and higher revenue than analysts predicted, though it has faced challenges since its public debut in September including executive departures and a class-action lawsuit.
N/A -- This article covers closing arguments in a legal trial between Elon Musk and OpenAI's leadership, focusing on the quality of the lawyers' presentations rather than an AI/LLM technical issue, security vulnerability, or system problem.
libyang is a library for working with YANG (a data modeling language used in network configuration). Before version 5.2.15, the lyb_read_string() function had an integer overflow vulnerability (where a number calculation wraps around and causes unexpected behavior), which could lead to a heap buffer overflow (writing data past the end of allocated memory) when processing malicious LYB binary data. An attacker who can send LYB data to systems using libyang could crash the program or corrupt memory.
This article describes a courtroom moment in a lawsuit between Elon Musk and Sam Altman where OpenAI employees presented a trophy to researcher Josh Achiam inscribed with 'Never stop being a jackass,' commemorating an incident when Musk allegedly called Achiam a jackass after Achiam questioned whether racing ahead of Google on AI development was a good idea.
A vulnerability in the python-utcp library exposed all environment variables (including secrets like API keys and database passwords) to subprocesses because the `_prepare_environment()` function copied the entire host environment. When combined with a command injection flaw (CWE-78, where an attacker can sneak malicious commands into tool arguments), an attacker could steal sensitive credentials like AWS keys, database connection strings, and LLM API keys in a single tool call.
The @utcp/http package has a Server-Side Request Forgery vulnerability (SSRF, a bug that tricks a server into making requests to internal networks it shouldn't access) because it doesn't properly check URLs when converting OpenAPI specifications (a standard format for describing APIs). An attacker can host a malicious OpenAPI spec that declares internal server addresses like 127.0.0.1 or cloud metadata endpoints, allowing them to read sensitive credentials or reach internal services. The vulnerability affects versions 1.1.1 and earlier.
Sea Limited is rolling out Codex, an AI tool for software development, across its engineering teams, with 87% of users actively using it weekly. Unlike simple autocomplete features, Codex provides deep understanding of large codebases (complex collections of code), helping developers navigate dependencies and legacy code while shifting their focus to higher-level design tasks. The company is moving toward agentic workflows (AI systems that can autonomously plan and execute tasks), where AI agents operate within CI/CD pipelines (automated systems that test and deploy code) to reason through requirements, generate tests, and reduce technical debt.
DeepSeek TUI has a security flaw where the `task_create` tool (which spawns sub-agents that perform work independently) defaults to allowing shell access (`allow_shell=true`) and auto-approving commands (`auto_approve=true`) without explicit user permission. An attacker can hide malicious instructions in project files, and when a user approves what looks like a simple task (like 'fix TODOs'), the spawned sub-agent silently executes the attacker's shell commands with no additional approval prompt.
DeepSeek TUI's `run_tests` tool runs without user approval (it has `ApprovalRequirement::Auto`), which allows arbitrary code execution through test files and build scripts in a repository. An attacker can create a malicious repository with hidden commands in test code and an `AGENTS.md` file (prompt injection, where hidden instructions are placed in input meant for an AI) that tricks the AI model into running tests automatically on startup, executing the attacker's code with zero user confirmation.
DeepSeek's TUI has a security flaw in its `fetch_url` tool where it blocks direct requests to restricted IP addresses (like cloud metadata endpoints and private networks) but fails to re-check redirect targets. An attacker can bypass this SSRF protection (server-side request forgery, where an AI is tricked into accessing internal systems) by providing a public URL that redirects to a restricted IP, allowing potential theft of cloud credentials and sensitive data on cloud-hosted instances.
Open WebUI has a race condition (TOCTOU, or time-of-check-time-of-use, where a system checks a condition and then uses that information, but the condition can change in between) in its LDAP and OAuth login flows that allows multiple users to become administrators on a fresh installation. When the first user logs in via LDAP or OAuth, the system checks if the database is empty and assigns the admin role before creating the user account, but multiple concurrent login requests can all see an empty database and all become admins. The regular signup method was already fixed with a safer approach, but LDAP and OAuth were never updated with the same fix.
Any authenticated user can permanently delete files owned by other users in Open WebUI when those files are referenced in shared chats, because the authorization check (the code that verifies whether a user should be allowed to perform an action) ignores both the user's identity and the type of operation being requested. File IDs can be discovered by users with read access to knowledge bases (repositories of documents), making this vulnerability practical to exploit.
Open WebUI had an unauthenticated endpoint at GET `/api/v1/memories/ef` that triggered embedding generation (the process of converting text into numerical vectors for AI understanding), allowing anyone to make requests without logging in. An attacker could repeatedly call this endpoint to waste computing resources, rack up charges if a paid embedding service like OpenAI was configured, or degrade the service for legitimate users.
Open WebUI has a security flaw where authenticated users can access and modify other users' private files by exploiting two endpoints that don't properly check file ownership. In the first case, attackers can inject victim file IDs into their own folders to make the AI read private documents as context. In the second case, attackers can attach victim files to their own knowledge bases (collections of documents used for RAG, retrieval-augmented generation) to read and overwrite those files entirely.
Open WebUI has a vulnerability where the `_validate_collection_access()` function (a security check) only blocks access to collections with specific name prefixes, but knowledge bases use raw UUIDs (unique identifiers) as collection names, so the check skips them entirely. Any logged-in user who knows a private knowledge base's UUID can read its contents or inject fake data into it through the retrieval API endpoints, even though the knowledge API itself correctly blocks that access.
Fix: The EU Commission has published draft Guidelines on the scope and application of Article 50, and a Code of Practice on AI-generated content is being developed to provide practical solutions on marking and labelling. Additionally, a standardized EU label is being developed for marking AI-generated outputs in machine-readable format to make them detectable as artificially generated or manipulated.
EU AI Act UpdatesResearchers using an AI model discovered a critical 18-year-old flaw in Nginx (a web server that powers about one-third of all websites) called a heap buffer overflow (a type of memory corruption bug where data overwrites adjacent memory). The vulnerability, tracked as CVE-2026-42945 with a 9.2 severity score, can crash servers or potentially allow attackers to run malicious code, especially on systems with ASLR (Address Space Layout Randomization, a security feature that randomizes memory locations) disabled.
Fix: Upgrade to patched versions: Nginx 1.31.0 or 1.30.1 for the open-source version, or Nginx Plus versions R36 P4, R32 P6, or 37.0.0 for the commercial product. The source notes that users should 'upgrade to a patched version as soon as possible' since exploit code has been published publicly and past Nginx vulnerabilities have been actively exploited by attackers.
CSO OnlineFix: OpenAI (which was also affected by the same supply-chain attack) responded by rotating code-signing certificates (digital keys that verify software authenticity) and warned macOS users that they must update their OpenAI desktop apps before June 12, or the software may fail to launch and stop receiving updates.
BleepingComputerFix: This vulnerability is fixed in SO 5.2.15. Update libyang to version 5.2.15 or later.
NVD/CVE DatabaseFix: Upgrade to utcp-cli version 1.1.2 or later. The patch changes `_prepare_environment()` to use a controlled allowlist of environment variables instead of copying everything. Users can configure which variables are inherited via a new `CliCallTemplate.inherit_env_vars` field: set it to `null` (default, uses a safe OS-specific allowlist like PATH and HOME), `[]` (strict mode, nothing inherited), or specify exact variable names like `["FOO", "BAR"]`. Sensitive variables like `OPENAI_API_KEY` no longer reach subprocesses unless explicitly allowed.
GitHub Advisory DatabaseFix: Upgrade to @utcp/http version 1.1.2 or later. The fix adds a new security helper that validates URLs in three places: during manual discovery registration, before tool invocation, and when converting OpenAPI specs. It also fixes a prefix-bypass bug by using proper hostname-based validation instead of simple text matching. If you cannot upgrade immediately, the source lists these workarounds: do not call registerManual() with URLs controlled by untrusted parties, and restrict outbound network access from the agent host so internal addresses (RFC1918 ranges, 169.254.0.0/16, and loopback addresses) cannot be reached.
GitHub Advisory DatabaseFix: The source text provides explicit mitigations: (1) Change `config.rs:1499` to default `allow_shell` to `false` instead of `true` by replacing `self.allow_shell.unwrap_or(true)` with `self.allow_shell.unwrap_or(false)`. (2) Change `task_manager.rs:297` to default `auto_approve` to `None` instead of `Some(true)`, so it does not inherit the session setting. (3) When the model requests `task_create` with `allow_shell=true`, display that fact in the approval prompt so the user knows they are granting shell access.
GitHub Advisory DatabaseFix: Change `run_tests` to require approval by modifying the approval requirement function: `fn approval_requirement(&self) -> ApprovalRequirement { ApprovalRequirement::Required }`. This matches the approval gate used by `exec_shell` (a tool for running shell commands), so users will see a prompt before tests run, though they can still approve it quickly.
GitHub Advisory DatabaseFix: Fixed in v0.9.0 (April 2026). The LDAP and OAuth code paths were updated to use the same insert-first-check-after pattern as the signup handler: insert the new user with DEFAULT_USER_ROLE first without checking user count, then after the insert commits, atomically check if `Users.get_num_users() == 1`. Only if this user is the sole user in the database are they promoted to admin via `Users.update_user_role_by_id`. This ensures that if two concurrent first-user registrations both insert users, only one will see the count as 1 and receive admin promotion.
GitHub Advisory DatabaseFix: Gate the shared-chat branch on `access_type` so it only authorizes read operations: `if access_type == "read": chats = Chats.get_shared_chats_by_file_id(file_id, db=db) if chats: return True`. This ensures that only read requests pass the authorization check when a file is in a shared chat, while delete and write requests are blocked.
GitHub Advisory DatabaseFix: Fixed in commit e5035ea31, first released in v0.8.0 (Feb 2026). The `/api/v1/memories/ef` route was removed entirely because it was a debug-style endpoint with no legitimate use. Users should upgrade to version 0.8.0 or later.
GitHub Advisory Database