All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A vulnerability in n8n (a workflow automation tool) allows authenticated users to perform prototype pollution (a type of attack that modifies the base object all objects inherit from) through the Microsoft SQL node by providing a specially crafted table parameter. This attack can completely break the n8n instance by causing validation failures across the entire application until the server is restarted.
Fix: The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. If upgrading immediately is not possible, administrators can temporarily: (1) restrict workflow creation and editing permissions to trusted users only, or (2) disable the Microsoft SQL node by adding `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseDatabricks is experiencing rapid revenue growth of over 80% as businesses use its data analytics tools, but profit margins are shrinking because AI agents (software programs that can perform tasks autonomously) are generating many more queries and consuming more resources. The company is addressing cost concerns by offering tools like Unity AI Gateway that help customers monitor their spending on AI tokens (units of text that language models process), allowing them to use expensive advanced models for important tasks while switching to cheaper open-source models for routine work.
Security experts have publicly objected to US export restrictions placed on Anthropic's Claude Fable 5 and Mythos 5 AI models, calling for the government to lift these bans. The criticism comes from an open letter signed by dozens of security professionals who believe these restrictions should be reversed.
Caddy's `stripHTML` template function (a tool that removes HTML tags from text) has a flaw where specially crafted malformed HTML like `<<>img src=x onerror=alert()>` can bypass the tag-removal logic and remain in the output. If this output is then displayed as HTML in a web page, it could allow XSS (cross-site scripting, where an attacker injects malicious code that runs in a user's browser).
Caddy web server has a security flaw in how it handles headers when using `forward_auth copy_headers` (a feature that copies trusted identity headers from an authentication service) combined with `php_fastcgi` (a module that forwards requests to PHP). An attacker can send a header with underscores (like `Remote_Groups`) instead of hyphens (like `Remote-Groups`), and Caddy will delete only the hyphenated version. Later, when FastCGI converts headers to CGI variables (environment variables used by backend applications), it replaces all hyphens with underscores, causing the attacker's underscore header to become identical to the trusted header. This allows an attacker to inject fake identity or group information into PHP applications.
On Windows, Caddy has a security vulnerability where attackers can bypass path-based authorization rules by using encoded backslashes (URL-encoded as %5c) in requests. The issue occurs because Caddy's path matcher doesn't treat backslashes as path separators when checking authorization rules, but the file server does when accessing files on disk, allowing an attacker to request `/private%5csecret.txt` and bypass protections meant to block `/private/*` access.
Crawl4AI's Docker API server had two security flaws that let attackers steal secrets. First, attackers could change where the server sent LLM (large language model) requests by controlling a `base_url` parameter, causing the server to send its API keys to an attacker's server. Second, attackers could read any environment variable (including passwords and secret keys) from the server by using the `env:` syntax in configuration, then combine this with the first flaw to steal those secrets. Since the Docker API required no authentication by default, anyone could exploit these flaws.
Crawl4AI's Docker API had a security flaw in its SSRF protection (a filter meant to block requests to internal servers). An attacker could bypass this filter by encoding internal IP addresses using IPv6 transition forms like NAT64, 6to4, or IPv4-mapped addresses, potentially accessing internal services and cloud metadata endpoints without needing credentials.
Crawl4AI, a Docker API server for web crawling, had seven critical security vulnerabilities including arbitrary file writes, SSRF (server-side request forgery, where attackers trick the server into making requests to internal networks), authentication bypass on monitoring endpoints, stored XSS (cross-site scripting, where malicious code executes in users' browsers), arbitrary JavaScript execution, a hardcoded JWT secret key, and SSRF via direct crawl endpoints. The vulnerabilities ranged from CVSS scores of 6.1 to 9.8, with fixes applied through input validation, blocklists for dangerous IP ranges, authentication requirements, HTML escaping, and environment variable controls.
stable-diffusion.cpp, a C/C++ library for running AI image generation models, has a heap buffer overflow vulnerability (a memory corruption bug where data writes beyond allocated memory) in how it parses PyTorch checkpoint files (.ckpt files). A malicious checkpoint file could crash the application or potentially execute harmful code if loaded by an application using vulnerable versions before master-584-0a7ae07.
stable-diffusion.cpp is a C/C++ library for running image generation models, but versions before master-584-0a7ae07 have an out-of-bounds reads error (a bug where the program accesses memory beyond its allocated space) when parsing .ckpt checkpoint files (model weight files saved in a specific format). A specially crafted or incomplete .ckpt file could crash the program or cause security issues if loaded from an untrusted source like a public model-sharing website.
A flaw in Google's Vertex AI SDK for Python allowed attackers to hijack machine learning model uploads through bucket squatting (creating a Cloud Storage bucket with a name the victim's SDK would predictably generate). Attackers could replace the uploaded model with malicious code that executes when the model loads, potentially stealing credentials and accessing other data in Google's infrastructure. The attack required only the victim's public project ID and no access to their account.
n8n, a workflow automation tool, has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its Postgres v1 and TimescaleDB nodes. An authenticated user with permission to create or edit workflows could exploit this to run arbitrary SQL commands against connected databases with the privileges of the configured database account.
A security flaw in n8n (a workflow automation tool) allowed authenticated users to bypass file access restrictions by using the Git node's Clone and Push operations with local filesystem paths, potentially letting them read files they shouldn't have access to. The vulnerability has been patched in specific versions of n8n.
An authenticated user with permission to create or modify workflows in n8n could escape the Python sandbox (a restricted environment meant to safely run untrusted code) and execute arbitrary code on the task runner container. This vulnerability only affects instances where the Python Task Runner feature is enabled.
vLLM has an authentication bypass vulnerability in its OpenAI API protection. An attacker can craft a request with a specially crafted Host header (containing special characters like `/` or `?`) to trick the authentication check into looking at the wrong URL path, allowing them to use the API without providing the required `VLLM_API_KEY`. This only affects vLLM instances exposed directly to attackers; those behind a proper web server like nginx are protected.
Anthropic shut down access to its Fable 5 and Mythos 5 AI models to comply with U.S. export control directives citing national security concerns, forcing all customers to lose access immediately. This incident highlighted a key risk for companies relying on closed-source AI models (proprietary systems run by companies rather than made publicly available), driving increased interest in open-source alternatives (AI models whose code is publicly available and can be downloaded and run on a company's own servers) that companies can control themselves.
Fix: Unity AI Gateway can notify people as they get close to using up their AI budgets. Companies are shifting from "tokenmaxxing" (using as many tokens as possible) to "value-maxxing" (optimizing efficiency), using frontier models for critical tasks and simple open-source models for mundane tasks.
CNBC TechnologyFix: The source suggests two potential fixes: "Normalize Windows path separators consistently before `MatchPath` evaluates request paths, or reject request paths containing `\` before `file_server` resolves."
GitHub Advisory DatabaseFix: Upgrade to the patched version. The fix prevents request-supplied `base_url` values from being used (the server now only derives the endpoint from its configured provider name), and blocks `env:` resolution of environment variables with names containing SECRET, PASSWORD, PRIVATE, or prefixes like CRAWL4AI* and AWS_SECRET*, or specific names like SECRET_KEY, REDIS_PASSWORD, and TOKEN. As workarounds, enable authentication with `CRAWL4AI_API_TOKEN` or avoid storing sensitive secrets in the server environment alongside provider keys.
GitHub Advisory DatabaseFix: The blocklist is replaced by a single rule: reject any resolved IP where `not ip.is_global`, evaluated on the address AND every embedded IPv4 transition form (v4-mapped, NAT64 `64:ff9b::/96`, 6to4 `2002::/16`, v4-compat `::/96`). Error messages are now opaque and no longer echo the resolved IP. Alternatively, upgrade to the patched version, enable authentication via `CRAWL4AI_API_TOKEN`, or restrict the container's outbound network access through firewall rules.
GitHub Advisory DatabaseThis is a subscriber-only eBook collection from MIT Technology Review featuring six stories about how military organizations are using AI models to help make decisions. The stories were originally published between April 2025 and April 2026 and have been updated to reflect recent developments in military AI applications.
Fix: Upgrade to the patched version (recommended). Additionally, set `CRAWL4AI_API_TOKEN` to enable authentication, set a strong `SECRET_KEY` with minimum 32 characters if using JWT, and restrict network access to the Docker API. The fixes include: `validate_output_path()` restricting writes to `CRAWL4AI_OUTPUT_DIR`, `validate_webhook_url()` blocklisting RFC 1918/loopback/cloud metadata IPs, adding `dependencies=[Depends(token_dep)]` to the monitor router, server-side `html.escape()` and client-side `escapeHtml()` for XSS protection, disabling `/execute_js` by default via `CRAWL4AI_EXECUTE_JS_ENABLED` env var, removing the default JWT secret and auto-generating an ephemeral key, and normalizing IPv6-mapped IPv4 addresses before blocklist checking on all crawl/md/llm endpoints.
GitHub Advisory DatabaseCybersecurity researchers discovered a prompt (a text input) that bypasses ChatGPT's safety guardrails (built-in restrictions designed to prevent harmful outputs) and causes the AI to generate disturbing images. The episode explores what this vulnerability reveals about how AI systems are trained and how bad actors could potentially exploit these weaknesses.
Fix: Update to version master-584-0a7ae07 or later. As a temporary workaround if immediate updates are not possible, avoid loading .ckpt files from untrusted sources and use trusted model sources or safer formats such as .safetensors instead.
NVD/CVE DatabaseFix: Update to version master-584-0a7ae07 or later. If immediate updating is not possible, avoid loading .ckpt files from untrusted sources and use safer formats such as .safetensors instead.
NVD/CVE DatabaseFix: Update the google-cloud-aiplatform SDK to version 1.148.0 or later, which adds bucket ownership verification to block bucket squatting. Additionally, explicitly set the staging_bucket parameter to a Cloud Storage location you control when uploading models, and check the SDK version wherever it runs (notebooks, CI/CD jobs, training pipelines, and production services).
The Hacker NewsFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. As temporary workarounds, administrators can limit workflow creation and editing permissions to fully trusted users only, or disable the Postgres and TimescaleDB nodes by adding `n8n-nodes-base.postgres` and `n8n-nodes-base.timescaleDb` to the `NODES_EXCLUDE` environment variable. However, the source notes that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseAnthropic took its advanced Claude Fable 5 and Mythos 5 AI models offline after the U.S. government restricted them, citing concerns that these models can find and exploit software vulnerabilities (weaknesses in code that attackers can use). However, experts warn that restricting one company's models is ineffective because other AI companies and open-source developers will likely develop similar dangerous capabilities within months, and existing AI systems can already be used for vulnerability research with refined prompting (techniques to get better answers from AI).
Fix: Upgrade to n8n version 1.123.48, 2.21.8, or 2.22.4 or later. If immediate upgrading is not possible, administrators can temporarily: (1) restrict workflow creation and editing permissions to fully trusted users only, or (2) disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.48, 2.21.8, and 2.22.4. Users should upgrade to one of these versions or later. As temporary workarounds while upgrading: limit workflow creation and editing permissions to fully trusted users only, or disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory Database