Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
n8n-mcp versions before 2.50.1 had three security issues: unvalidated workflow IDs allowed attackers to bypass access controls and leak API keys, webhook URLs followed redirects to unintended hosts (SSRF, a type of attack where a server makes unwanted requests to other systems), and telemetry (usage data sent to developers) stored sensitive information like API keys without hiding it. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.3 and requires an authenticated attacker with access to the n8n API.
Fix: Upgrade to n8n-mcp version 2.50.1 or later. If upgrading is not immediately possible, the source provides these workarounds: for issues 1 and 2, restrict network access to the HTTP port through firewall rules or switch to stdio mode (a communication method that does not expose HTTP); for issue 3, set the environment variable `N8N_MCP_TELEMETRY_DISABLED=true` before starting the server, or run `npx n8n-mcp telemetry disable` once.
GitHub Advisory DatabaseAn authenticated SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to internal services) vulnerability affects n8n-mcp's webhook and API client features. An attacker with access to the system can make the n8n-mcp host send HTTP requests to internal services or cloud credential endpoints that should be blocked, allowing them to steal credentials or enumerate internal systems.
Langfuse, an open source platform for managing large language models, had a role-based access control flaw (a security issue where user permissions weren't properly enforced) in versions 3.68.0 through 3.166.9 that allowed low-privileged project members to redirect API requests to attacker-controlled servers, potentially exposing sensitive API keys. The vulnerability required the attacker to already have basic access to a project as a member.
LiteLLM is a proxy server (an intermediary that forwards requests between clients and AI language model APIs) that had a critical vulnerability in versions 1.74.2 through 1.83.6. Two test endpoints allowed users to submit server configurations that could execute arbitrary commands (running any code an attacker wants) on the server itself, as long as they had a valid API key, even a low-privilege one.
PromptHub versions 0.4.9 to before 0.5.4 contain an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into fetching URLs they control). An authenticated endpoint allows users to supply a URL that the server fetches and returns the response, but the security check meant to block private IP addresses (internal network addresses) can be bypassed using alternate IPv6 (internet protocol version 6, the newer internet addressing system) representations. Any registered user can exploit this, or anyone on the internet if registration is enabled.
LiteLLM, a proxy server (intermediary program that forwards requests to different AI APIs) versions 1.81.16 through 1.83.6, has a SQL injection vulnerability (a flaw where attackers insert malicious code into database queries by manipulating user inputs). An unauthenticated attacker could craft a fake Authorization header to read or modify data stored in the proxy's database, potentially gaining unauthorized access to stored API credentials.
LiteLLM is a proxy server (a middleman that forwards requests to AI language model APIs) that had a security flaw in versions 1.80.5 through 1.83.6 in its POST /prompts/test endpoint. This endpoint took user-supplied prompt templates and ran them without sandboxing (isolating them in a restricted environment), allowing attackers with valid API keys to execute arbitrary code (running any commands they want) on the server, potentially stealing secrets like API keys or database passwords.
The utcp-http plugin has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests on their behalf) that lets attackers redirect the tool to access internal systems. An attacker can host a fake OpenAPI specification (a standard format describing API endpoints) on a legitimate HTTPS server, but include instructions to access internal addresses like cloud metadata servers. The plugin didn't properly validate these addresses before making requests, allowing attackers to expose sensitive data or internal services to the LLM.
CVE-2026-35435 is a vulnerability in Azure AI Foundry M365 published agents where improper access control (weak rules about who can access what) allows an unauthorized attacker to gain higher privileges over a network. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) assessment that has not yet been provided by NIST.
CVE-2026-33111 is a command injection vulnerability (where an attacker inserts malicious commands into user input) in Copilot Chat for Microsoft Edge that could allow an unauthorized attacker to disclose information over a network. The vulnerability stems from improper handling of special characters in commands. No severity score has been assigned yet by NIST.
CVE-2026-32207 is a cross-site scripting vulnerability (XSS, where an attacker injects malicious code into a web page that gets executed in users' browsers) in Azure Machine Learning that allows an unauthorized attacker to perform spoofing (impersonating someone or something else) over a network. The vulnerability stems from improper handling of user input during web page generation.
CVE-2026-26164 is a vulnerability in Microsoft 365 Copilot caused by improper neutralization of special elements in output (a type of injection attack, where specially crafted input can be misinterpreted as commands). An attacker without authorization could exploit this to access and disclose information over a network.
CVE-2026-26129 is a vulnerability in Microsoft 365 Copilot where improper neutralization of special elements (failure to safely handle certain characters or code) allows an unauthorized attacker to disclose information over a network. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.0, indicating moderate severity.
i18nextify is a JavaScript library that enables website internationalization (support for multiple languages) through a simple script tag. Versions before 3.0.5 have a URL-injection vulnerability (where attackers can manipulate URLs by injecting special characters) because the library doesn't properly validate language and namespace values before using them in web requests, allowing attackers to exploit this if an application accepts user input for language selection.
BentoML's `bentoml build` command has a symlink traversal vulnerability (following attacker-controlled symbolic links, which are shortcuts to files) that allows attackers to copy files from outside the build directory into the generated Bento artifact (the packaged application). If a developer builds an untrusted repository, an attacker can hide a symlink pointing to sensitive files like credentials or API tokens, and these files will be copied into the final package where they could be leaked through export or upload workflows.
Diffusers, a popular AI library, had a security flaw where the `trust_remote_code` parameter (a safety check to prevent running untrusted code) could be bypassed in three ways when loading models with `DiffusionPipeline.from_pretrained()`. An attacker could execute arbitrary code on a user's machine even when the user explicitly set `trust_remote_code=False` or left it at its default safe setting. The vulnerability affected users loading custom pipelines (external code) or local model snapshots (saved model files).
The Diffusers library has a vulnerability where arbitrary code can be silently executed when loading a pipeline from HuggingFace Hub, bypassing the `trust_remote_code` security check. An attacker can craft a repository with custom code in a Python file that gets automatically executed during `DiffusionPipeline.from_pretrained()` without requiring the `trust_remote_code=True` parameter or any visible warning, allowing remote code execution (RCE, where an attacker runs commands on a system they don't own).
AxonFlow platform versions before 7.5.0 contained eight security bugs related to multi-tenant isolation (the separation of data between different organizations sharing the same system), access control, and policy enforcement. These bugs could allow one tenant to access another tenant's audit logs, bypass authentication on customer onboarding, enumerate organizations, exhaust memory, or execute SQL injection (inserting malicious database commands). All eight issues are addressed together in the v7.5.0 release.
Keras has a critical vulnerability in its model loader (KerasFileEditor) that allows attackers to cause a Denial of Service (DoS, where a system becomes unusable) by uploading malicious .keras files. An attacker can craft a small .keras file (100-400 KB) that declares an extremely large dataset shape in its HDF5 weight file (a binary format for storing weights in neural networks), but stores only a few bytes of actual data. When Keras loads this file, it attempts to allocate petabytes of RAM based on the declared shape, immediately crashing the system and killing any applications processing the model.
Fix: Fixed in n8n-mcp@2.50.2. If you cannot upgrade immediately, the source suggests three workarounds: (1) Restrict network egress from the n8n-mcp host using a firewall or cloud security group to deny cloud metadata IPs (169.254.169.254, 169.254.170.2, 100.100.100.200, 192.0.0.192, and GCP metadata.google.internal) and RFC1918 networks; (2) Run in stdio mode instead of HTTP if multi-tenant mode is not needed; (3) Disable workflow management tools via `DISABLED_TOOLS=n8n_trigger_webhook_workflow,n8n_create_workflow,n8n_test_workflow` if not needed. Additionally, if N8N_API_URL points to localhost or a private network address, set `WEBHOOK_SECURITY_MODE=moderate` (allows localhost, blocks private networks and cloud metadata) or `WEBHOOK_SECURITY_MODE=permissive` (allows private networks too, only safe on trusted networks).
GitHub Advisory DatabaseFix: Update to Langfuse version 3.167.0 or later, where the issue has been patched.
NVD/CVE DatabaseFix: This issue has been patched in version 1.83.7. Users should upgrade to version 1.83.7 or later.
NVD/CVE DatabaseFix: Update to version 0.5.4 or later, which includes a patch for this vulnerability.
NVD/CVE DatabaseFix: Update to version 1.83.7 or later, where this issue has been patched.
NVD/CVE DatabaseFix: Upgrade to version 1.83.7 or later. According to the source: 'This issue has been patched in version 1.83.7.'
NVD/CVE DatabaseFix: Upgrade to utcp-http version 1.1.2. The patch adds a new security function called `ensure_secure_url()` that properly validates hostnames (not just string patterns) against a list of allowed addresses, and this validation is now performed both when manually registering tools and right before making requests. Users unable to upgrade should avoid calling `register_manual()` with any untrusted URLs and restrict outbound network access from the agent host to block access to internal addresses (RFC1918 private ranges, 169.254.0.0/16, and loopback addresses).
GitHub Advisory DatabaseFix: This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next by stripping .., /, \, ?, #, %, whitespace, and control characters; and capping the length.
NVD/CVE DatabaseFrench prosecutors have escalated their investigation of Elon Musk and his social network X into a criminal probe, focusing on allegations of algorithmic manipulation (using computer programs to influence user feeds and information), spreading of nonconsensual sexually explicit deepfake images (synthetic media created without consent), and Holocaust denial content on X's AI chatbot Grok. Musk and former X CEO Linda Yaccarino were summoned to appear in April but declined to do so, and similar investigations are underway in other countries and by California authorities.
Fix: Upgrade to diffusers version 0.38.0 or later by running: `pip install --upgrade "diffusers>=0.38.0"`. The fix moves the `trust_remote_code` security check to `get_cached_module_file()` in `src/diffusers/utils/dynamic_modules_utils.py`, which is the actual point where all dynamic modules are loaded. If immediate upgrading is not possible, the source recommends only using `from_pretrained()` with trusted sources, avoiding `custom_pipeline=` parameters pointing to different repositories without inspecting their code first, and manually checking local snapshots for unexpected `.py` files before loading them, though these are only temporary mitigations and not complete fixes.
Hugging Face Security AdvisoriesFix: Upgrade to AxonFlow platform v7.5.0 or later; no configuration changes are required. For users unable to upgrade immediately, the source provides specific mitigations: for items 1-5, ensure agent middleware sets `X-Org-ID` / `X-Tenant-ID` from authenticated identity at the ingress and never accept body-supplied identity; for item 8 (Community SaaS only), set `SQLI_ACTION=block` explicitly via the agent task definition (v7.5.0 makes this the default).
GitHub Advisory Database