Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
The LangSmith SDK (a tool for monitoring AI applications) has a security flaw where its output redaction feature (hideOutputs in JavaScript, hide_outputs in Python) doesn't work for streaming token events. When an LLM produces streamed output, each piece of data is recorded as a new_token event with unredacted content that bypasses the redaction process entirely, potentially leaking sensitive information to LangSmith storage.
Anthropic experienced a brief outage on Wednesday affecting its Claude chatbot, API (application programming interface, the connection between software services), and Claude Code assistant, with elevated error rates beginning around 10:53 a.m. ET. By 1:50 p.m. ET, all systems were restored and operational, with login success rates stabilizing by 12:30 p.m. ET.
LangChain-ChatChat version 0.3.1 has a remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) in how it handles MCP STDIO servers (a communication protocol for server connections). An attacker can access the exposed management interface, set up a malicious MCP server with commands of their choice, and then trigger those commands to run when the service processes agent requests.
Windsurf version 1.9544.26 has a prompt injection vulnerability (a technique where attackers hide malicious instructions in input to trick an AI system) that allows remote attackers to execute arbitrary commands on a victim's computer. When Windsurf processes attacker-controlled HTML content, it can be tricked into automatically registering a malicious MCP STDIO server (a communication interface for running code), giving attackers the ability to run commands without the user's knowledge.
mcp-server-kubernetes versions 3.4.0 and earlier have an argument injection vulnerability (a type of attack where an attacker sneaks extra commands into a tool by exploiting how input is processed) in the port_forward tool. The vulnerability exists because the code builds a kubectl command (a tool for managing Kubernetes clusters) by concatenating strings with user input and splitting on spaces, instead of using a safer array-based method like other tools in the codebase. This allows attackers to inject malicious kubectl flags to expose internal services or target resources in unintended ways.
The `ConformityCheck` class in giskard-checks was automatically treating the `rule` parameter as a Jinja2 template (a template language that evaluates expressions), which could allow arbitrary code execution if check definitions came from untrusted sources. While the library is only used locally by developers, this hidden behavior made it easy to accidentally pass untrusted input without realizing expressions would be evaluated.
The RegexMatching check in giskard-checks has a ReDoS vulnerability (regular expression denial of service, where a specially crafted regex pattern causes the regex engine to hang by backtracking excessively through text). An attacker with write access to check definitions can craft malicious regex patterns that make the testing process hang indefinitely, disrupting automated testing environments like CI/CD pipelines (continuous integration/continuous deployment automation).
CVE-2026-23653 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into input that gets executed) in GitHub Copilot and Visual Studio Code that allows an authorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements used in commands. The CVSS severity score (a standard 0-10 rating of how serious a security flaw is) has not yet been assigned by NIST.
Kiro IDE (a development environment that uses AI agents to help developers) has a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a web browser) in versions before 0.8.140. An attacker can exploit this by creating a malicious workspace with a crafted color theme name, and if a user opens and trusts that workspace, the attacker's code will execute on their computer.
A vulnerability in OpenAI Codex CLI v0.23.0 and earlier allows attackers to execute arbitrary code by creating malicious configuration files (.env and .codex/config.toml) in a repository. When a user runs the codex command in a compromised repository, the tool automatically loads these files without asking for permission, triggering the attacker's embedded commands.
An SSH/SCP option injection vulnerability in the @aiondadotcom/mcp-ssh library allowed attackers to execute arbitrary commands locally on the machine running the MCP server (a tool that connects an AI to external systems). By crafting malicious input like `-oProxyCommand=...`, attackers could trick SSH into running their code before any network connection happened, potentially stealing SSH keys and credentials. The vulnerability could be triggered even without a malicious user, since an LLM (large language model) could be tricked through prompt injection (hiding attacker instructions in text it reads) to pass the malicious input to the tool.
A vulnerability in keras version 3.13.0 allows attackers to run their own code when a model is loaded, even when `safe_mode=True` (a setting meant to prevent unsafe operations). The problem occurs because the `TFSMLayer` class loads external TensorFlow SavedModels (pre-trained model files) without checking if they're safe, and doesn't properly validate file paths or configuration data.
A vulnerability (CVE-2026-6129) was found in the CowAgent component of zhayujie's chatgpt-on-wechat software up to version 2.0.4, where missing authentication (failure to verify user identity) in the Agent Mode Service allows attackers to perform unauthorized actions remotely. The exploit is publicly available and the developers have not yet responded to the initial report of the problem.
CVE-2026-6126 is a missing authentication vulnerability in zhayujie chatgpt-on-wechat CowAgent version 2.0.4, affecting an administrative HTTP endpoint (a web-based control interface). An attacker can remotely exploit this flaw without needing valid credentials, and the exploit code has been publicly released.
FastGPT (a platform for building AI agents) has a broken access control vulnerability (IDOR/BOLA, a flaw where one user can access another user's data by guessing or changing IDs) that allows any authenticated team to run AI applications belonging to other teams by using a different application ID. The system checks that users are logged in but doesn't verify that the application they're trying to use actually belongs to their team, leading to unauthorized access to private AI workflows across teams.
n8n-mcp (a tool for connecting AI systems to external services) had security problems where certain HTTP endpoints (the connection points a program offers over the internet) didn't require authentication and exposed sensitive system information. An attacker with network access could shut down active sessions and gather details to plan further attacks.
The LangSmith JavaScript SDK contains a prototype pollution vulnerability (a type of attack where an attacker modifies the base object that all JavaScript objects inherit from) in its internal lodash `set()` function. The vulnerability exists because the code only blocks the `__proto__` key but allows attackers to bypass this protection using `constructor.prototype` instead, potentially affecting all objects in a Node.js application if they control data being processed by the `createAnonymizer()` API.
PraisonAI's browser bridge server (started with `praisonai browser start`) has a security flaw where it accepts WebSocket connections (a two-way communication channel between a client and server) without proper authentication checks. An attacker on the network can connect without credentials, trick the server into linking their connection to a legitimate browser extension session, and then intercept all commands and responses from that session, effectively taking control of the browser automation without permission.
Fix: Update to version 3.5.0, which fixes this issue.
NVD/CVE DatabaseFix: Upgrade to `giskard-checks` >= 1.0.2b1. The patched version removes template rendering from rule evaluation entirely.
GitHub Advisory DatabaseFix: Upgrade to giskard-checks >= 1.0.2b1.
GitHub Advisory DatabaseFix: Update Kiro IDE to version 0.8.140 or later.
AWS Security BulletinsFix: Fixed in version 1.3.5. The patch includes: adding `--` argument terminators to all SSH/SCP invocations (which tells the command where options end and arguments begin), implementing a strict whitelist for host aliases that rejects leading dashes and shell metacharacters, requiring all host aliases to be defined in `~/.ssh/config` or `~/.ssh/known_hosts`, and resolving `ssh.exe`/`scp.exe` to absolute paths with `shell: false` on Windows to prevent command re-parsing. No workarounds exist; users must upgrade to 1.3.5.
GitHub Advisory DatabaseA man named Daniel Moreno-Gama was arrested after throwing a Molotov cocktail (an improvised incendiary weapon) at OpenAI CEO Sam Altman's home and later attacking OpenAI's headquarters. Moreno-Gama was motivated by concerns about AI posing an existential threat to humanity and had planned the attack in advance, as documented in a written statement found by police. Sam Altman responded by calling for reduced hostile rhetoric within the AI industry.
Fix: This vulnerability is fixed in version 4.14.10.4. Users should upgrade to FastGPT 4.14.10.4 or later.
NVD/CVE DatabaseFix: Fixed in v2.47.6, where all MCP session endpoints now require Bearer authentication (a token-based security method). If you cannot upgrade immediately, you can restrict network access using firewall rules, reverse proxy IP allowlists, or a VPN to allow only trusted clients. Alternatively, use stdio mode (MCP_MODE=stdio) instead of HTTP mode, since stdio transport does not expose HTTP endpoints and is not affected by this vulnerability.
GitHub Advisory DatabaseFix: Fixed in version 0.5.18. Users should update their `langsmith` package to 0.5.18 or later.
GitHub Advisory DatabasePraisonAI Agents has a security flaw where tool approval decisions are cached by tool name only, not by the specific command arguments. Once a user approves the `execute_command` tool (a function that runs shell commands) for any command like `ls -la`, all future shell commands in that session bypass the approval prompt entirely. Combined with the fact that all environment variables (including API keys and credentials) are passed to subprocesses, an LLM agent can silently steal sensitive data without asking permission again.