All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Langflow's Shareable Playground feature allows unauthenticated users to execute public workflows through a special endpoint. This endpoint accepts a list of files that can be read from either the local system or S3 storage (cloud file storage), potentially exposing sensitive files if the workflow is configured to read them. An attacker could craft a request specifying arbitrary file paths to extract data without authentication.
Langflow's Shareable Playground feature contains a critical RCE (remote code execution, where an attacker can run commands on a system they don't own) vulnerability that allows unauthenticated users to execute arbitrary Python code. By sharing a flow and then modifying the code field in the API request to the `/api/v1/build_public_tmp` endpoint, an attacker can run malicious commands on the server.
Langflow has a path traversal vulnerability (a security flaw where an attacker can access files outside intended directories) in its Knowledge Bases API that allows authenticated attackers to create files and directories anywhere on the server by supplying malicious names like '../victim_user/evil_kb' or '/tmp/pwned' to the creation endpoint, potentially compromising data across users and corrupting knowledge bases.
vLLM has a security vulnerability where an `assert` statement (a line of code that checks a condition) used to restrict which activation functions can be loaded is removed when Python runs in optimized mode, allowing attackers to publish malicious models on HuggingFace that execute arbitrary code when loaded.
Langflow's monitor API has 7 endpoints that lack ownership checks, allowing any authenticated user to read, modify, or delete another user's data like messages, sessions, and LLM logs through IDOR/BOLA (insecure direct object references/broken object-level authorization, where an attacker can access resources by guessing or knowing their IDs). The source code shows that the correct ownership-checking pattern exists in one endpoint but was not applied consistently across the other vulnerable endpoints.
France's intelligence service is switching from Palantir, a US company's AI data analysis tool, to a domestic provider called ChapsVision to reduce dependence on foreign technology. The French government argues that relying on tools controlled by other countries poses a strategic risk, and that France should develop and use its own AI systems instead.
LangChain has a path traversal vulnerability (a security flaw where attackers can access files outside an intended directory) in its file-search and configuration-loading components. These components don't properly validate that resolved file paths stay within their intended root directory, allowing attackers to use glob patterns (wildcards like *.txt), symlinks (shortcuts to files), or specially crafted path strings to access files they shouldn't. If an untrusted source, including an LLM, influences the paths or search patterns, attackers could read files outside the intended boundary.
SpaceX announced a $60 billion agreement to acquire Cursor, an AI startup that built a popular coding tool helping developers generate and review code. The deal comes after Cursor experienced rapid growth since 2022, though its market share has recently declined from 41% to 26% as competitors like Anthropic have gained ground, and SpaceX expects the merger to close in the third quarter pending regulatory approval.
NLTK's nltk.data.load() function has a path traversal vulnerability (CWE-22, an attack that lets someone read files outside intended directories) because it checks for dangerous patterns before decoding URL-encoded characters like %2f (/) and %2e (.). An attacker can bypass protections by URL-encoding traversal sequences (for example, %2fetc%2fpasswd instead of /etc/passwd) and read arbitrary files from the filesystem.
Bleach, a library that removes dangerous content from HTML, has a vulnerability where it fails to block disallowed URI schemes (like javascript:) when Unicode characters (special invisible characters above U+00A0) are inserted into them. While modern browsers won't execute these malformed links, the vulnerability breaks Bleach's safety promise, and if downstream systems normalize these Unicode characters, the dangerous links could become executable.
When developers run `nuxt dev` on Linux with Node.js 20+, Nuxt creates an IPC server (a communication channel for internal processes) using an abstract-namespace Unix socket (a type of connection with no file permissions). Any other user on the same machine can connect to this socket and request sensitive files like `.env` or SSH keys, exposing the developer's secrets. This only affects shared Linux machines and does not impact production builds, macOS, Windows, or containerized environments.
Nuxt has a security vulnerability where routeRules (a feature that applies middleware and other settings to URL paths) uses case-sensitive matching, but vue-router (the routing library Nuxt uses) defaults to case-insensitive matching. This mismatch allows attackers to bypass authorization middleware by changing the capitalization of URL paths, for example accessing `/Admin/dashboard` instead of `/admin/dashboard` to skip security checks.
Nuxt has three URL-handling vulnerabilities in its `navigateTo` and `reloadNuxtApp` functions. First, attackers can bypass path checks using obfuscated paths (like `/..//evil.com`) that get normalized to protocol-relative URLs (like `//evil.com`), causing server-side redirects to attacker sites. Second, the `open` option in `navigateTo` doesn't block javascript: URLs, allowing script execution. Third, `reloadNuxtApp` accepts protocol-relative paths that bypass script-blocking checks. All three can lead to phishing, OAuth token theft, or reflected XSS (cross-site scripting, where attackers inject malicious code into a website's response).
Magnitude, a cybersecurity startup, launched with $10 million in funding to address third-party risk management (TPRM, the process of monitoring security risks from external vendors and partners) using an autonomous AI workforce. The company's AI agents continuously monitor vendors, products, and dependencies for vulnerabilities, automatically identify exposed systems when new risks emerge, and help organizations respond to threats at the speed of AI-powered attacks.
N/A -- This content is not about an AI/LLM-related technical issue, vulnerability, or problem. It is a newsletter header about SpaceX's IPO and mentions only in passing that the US government ordered limits on Anthropic's advanced AI model due to cybersecurity concerns, but provides no details about what that concern is or how it works.
SpaceX is acquiring Cursor, an AI-powered programming platform, for $60 billion to strengthen its enterprise software offerings and compete with other AI companies like Anthropic and OpenAI. The deal was negotiated earlier with an option to either complete the purchase or pay a $10 billion breakup fee, and SpaceX expects to finalize it by the third quarter of 2026.
Researchers discovered a vulnerability in Google Cloud's Vertex AI SDK for Python (versions 1.139.0 and 1.140.0) that allowed attackers to hijack model uploads through bucket squatting (exploiting predictable cloud storage bucket names to intercept files). By predicting the victim's bucket name based on their project ID, an attacker could create that bucket in their own account, intercept the model upload, inject malicious code, and achieve RCE (remote code execution, where attackers run commands on systems they don't own) when the victim deployed the poisoned model.
Fix: The issue was fixed in PR #12337 by introducing a `_validate_kb_path_containment()` helper function that uses `Path.is_relative_to()` (instead of `startswith()`) to enforce strict path boundaries and prevent traversal attacks. This validation is applied before any filesystem operations, and regression tests were added to verify that traversal payloads return a 403 Forbidden response.
GitHub Advisory DatabaseFix: Replace the `assert` with an explicit conditional raise. The source provides this fix: `if not function_name.startswith("torch.nn.modules."): raise ValueError("Loading of activation functions is restricted to torch.nn.modules for security reasons")`
Hugging Face Security AdvisoriesAI agents (autonomous systems that can perform complex tasks independently) are becoming more powerful but also riskier, so Google developed the AI Control Roadmap, a 'defense-in-depth' security framework that combines traditional safeguards like sandboxing (isolating software to limit damage) with monitoring systems and permission controls to protect against agents that may not be perfectly aligned (trained to match human goals) with organizational values. The roadmap treats AI agents as potential insider threats and uses trusted AI supervisors to constantly monitor their reasoning and actions, blocking harmful behaviors before they occur.
Fix: The source describes Google's implemented mitigations within the AI Control Roadmap: (1) using other trusted AI systems as 'supervisors' to constantly monitor a working agent's reasoning, actions, and plans; (2) having supervisors step in to block harmful actions before damage occurs; and (3) continuously measuring performance using three metrics—coverage (fraction of traffic monitored), recall (fraction of misaligned behaviors caught), and time-to-response. The roadmap also employs traditional safeguards including sandboxing, endpoint security, and prompt injection resistance, plus granting AI agents permissions based on their verified behavior.
DeepMind Safety ResearchFix: The patches will canonicalize candidate paths (resolve symlinks to their actual targets) and verify the resolved real path stays within the configured root before reading files; normalize search patterns so they cannot escape the root; make configuration loaders confine resolved path fields and reject symlink escapes unless the caller explicitly enables dangerous loading; enforce path-segment boundaries in path-prefix checks; and make path validation work consistently across different operating systems. Callers that intentionally reference external paths can opt in via the existing dangerous-loading flag.
GitHub Advisory DatabaseFix: Users should upgrade to Bleach 6.4.0. As a workaround, pre-process content to remove non-ASCII characters from URI schemes before sanitizing with bleach.clean, or implement a strong Content-Security-Policy (a security header that restricts what scripts can run on a webpage) without unsafe-inline and unsafe-eval script-srcs.
GitHub Advisory DatabaseFix: Fixed in `nuxt@4.4.7` and backported to `nuxt@3.21.7`. The fix removes the abstract-namespace socket entirely and instead uses a filesystem Unix socket under the OS temp directory with `chmod 0600` permissions (restricting access to only the owner). If the permission-setting fails, the server closes rather than running on an unrestricted channel. Alternatively, if you cannot upgrade immediately, run `nuxt dev` inside a container or VM with no other users, use a single-user namespace (`unshare -U`), or restrict visibility of `/proc/net/unix` via `hidepid=2` mount options (though this is only partial mitigation).
GitHub Advisory DatabaseFix: Update to nuxt@4.4.7 or nuxt@3.21.7, which fix the vulnerability by normalizing path matching to be case-insensitive consistently. If you cannot upgrade immediately, you can work around the issue by: (1) setting `router.options.sensitive = true` to make all route matching case-sensitive, (2) moving security-critical middleware from `routeRules.appMiddleware` to `definePageMeta({ middleware: [...] })` on protected page components, or (3) enforcing authorization at the API or data-fetching layer instead of relying on middleware.
GitHub Advisory DatabaseFix: Update to nuxt@4.4.7 or nuxt@3.21.7. Alternatively, the source provides workarounds: (1) validate redirect targets before passing to `navigateTo` by rejecting paths where `new URL(target, 'http://localhost').pathname` starts with `//`, or only accept a known allow-list of paths; (2) for the `open` option, reject any user-controlled URL whose protocol is not in an allow-list (typically just `http:` and `https:`).
GitHub Advisory DatabaseAI models can now discover vulnerabilities and create working exploits in hours, forcing organizations to adopt faster security practices that match AI speed rather than traditional weekly or monthly patching cycles. The Wiz Exposure Management Dashboard uses Continuous Threat Exposure Management (CTEM, a proactive strategy that continuously identifies, prioritizes, and validates the most critical attack paths) and AI-powered agents to help security teams automate vulnerability identification, prioritization, and remediation at machine speed to keep pace with AI-driven threats.
Cybersecurity executives are urging the Trump administration to reverse its ban on foreign nationals using Anthropic's latest AI models (Mythos 5 and Fable 5), arguing the restriction could help U.S. adversaries more than protect national security. Anthropic took these models offline to comply with the directive because the AI can find and exploit computer vulnerabilities better than human experts, but the executives' letter contends that other AI models have similar capabilities and that China's AI is rapidly catching up to American technology.
Fix: Google completed fixes to address this issue in v1.148.0, released April 15, 2026. Developers should upgrade to this fixed version of the SDK.
Palo Alto Unit 42