Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
OpenClaw versions before 2026.2.13 logged WebSocket request headers (like Origin and User-Agent) without cleaning them up, allowing attackers to inject malicious text into logs. If those logs are later read by an LLM (large language model, an AI system that processes text) for tasks like debugging, the attacker's injected text could trick the AI into doing something unintended (a technique called indirect prompt injection or log poisoning).
Fix: Upgrade to `openclaw@2026.2.13` or later. Alternatively, if you cannot upgrade immediately, the source mentions two workarounds: treat logs as untrusted input when using AI-assisted debugging by sanitizing and escaping them, and do not auto-execute instructions derived from logs; or restrict gateway network access and apply reverse-proxy limits on header size.
GitHub Advisory DatabaseSkill-scanner versions 1.0.1 and earlier have a vulnerability in their API Server (a network interface that lets external programs communicate with the software) where the server is incorrectly exposed to multiple network interfaces without proper authentication. An attacker could send requests to this server to cause a denial of service attack (making it unavailable by exhausting its resources) or upload files to unintended locations on the device.
OpenClaw's Slack integration had a vulnerability where Slack channel descriptions could be injected into the AI model's system prompt (the instructions that tell the AI how to behave). This allowed attackers to use prompt injection (tricking an AI by hiding instructions in its input) to potentially trigger unintended actions or expose data if tool execution was enabled.
OpenClaw had a vulnerability where its hook endpoint (`POST /hooks/agent`) accepted session keys (identifiers for conversation contexts) directly from user requests, allowing someone with a valid hook token to inject messages into any session they could guess or derive. This could poison conversations with malicious prompts that persist across multiple turns. The vulnerability affected versions 2.0.0-beta3 through 2026.2.11.
A Reflected XSS vulnerability (reflected XSS, where malicious code is injected through a URL parameter and executed in a user's browser) was found in Cloudflare Agents' AI Playground OAuth callback handler. An attacker could craft a malicious link that, when clicked, steals user chat history, LLM interactions, and could control connected MCP Servers (tools that extend what an AI can do) on behalf of the victim.
Milvus, a vector database (a specialized storage system for AI data) used in generative AI applications, had a security flaw in versions before 2.5.27 and 2.6.10 where it exposed port 9091 by default, allowing attackers to bypass authentication (security checks that verify who you are) in two ways: through a predictable default token on a debug endpoint, and by accessing the full REST API (the interface applications use to communicate with the database) without any password or login required, potentially letting them steal or modify data.
Cursor, a code editor designed for programming with AI, had a sandbox escape vulnerability in versions before 2.5 where a malicious agent (an attacker using prompt injection, which is tricking an AI by hiding instructions in its input) could write to unprotected .git configuration files, including git hooks (scripts that run automatically when Git performs certain actions). This could lead to RCE (remote code execution, where an attacker runs commands on a system they don't control) when those hooks were triggered, with no user action needed.
A reflected XSS vulnerability (a type of attack where malicious code is injected into a website and executed in a user's browser) was found in the AI Playground's OAuth callback handler (the code that processes login responses). The vulnerability allowed attackers to craft malicious links that, when clicked, could steal a user's chat history and access connected MCP servers (external services integrated with the AI system) on the victim's behalf.
FastGPT is an AI Agent building platform (software for creating AI systems that perform tasks) that has a security vulnerability in components like web page acquisition nodes and HTTP nodes (parts that fetch data from servers). The vulnerability allows potential security risks when these nodes make data requests from the server, but it has been addressed by adding stricter internal network address detection (checks to prevent unauthorized access to internal systems).
CVE-2026-1669 is a vulnerability in Keras (a machine learning library) versions 3.0.0 through 3.13.1 that allows attackers to read arbitrary files on a system by uploading a specially crafted model file that exploits HDF5 external dataset references (a feature of HDF5, a file format commonly used to store large amounts of numerical data). An attacker could use this to access sensitive information stored on the affected computer.
sf-mcp-server, a tool that connects Salesforce to Claude for Desktop, has a command injection vulnerability (CWE-78, a flaw where attackers inject malicious commands into user input). The vulnerability exists because the software unsafely uses child_process.exec (a function that runs shell commands) with user-controlled input, allowing attackers to execute arbitrary shell commands with the server's privileges.
LangChain's RecursiveUrlLoader (a web crawler that follows links across pages) had a security flaw in versions before 1.1.14 where its preventOutside option used weak URL comparison that attackers could bypass. An attacker could trick the crawler into visiting unintended domains by creating links with similar prefixes, or into accessing internal services like cloud metadata endpoints and private IP addresses that should be off-limits.
LangChain (a framework for building AI agents and applications powered by large language models) versions before 1.2.11 have a vulnerability where the ChatOpenAI.get_num_tokens_from_messages() method doesn't validate image URLs, allowing attackers to perform SSRF attacks (server-side request forgery, where an attacker tricks a server into making unwanted requests to other systems). This vulnerability was fixed in version 1.2.11.
FastGPT (an AI platform for building AI agents) versions 4.14.0 to 4.14.5 have a vulnerability where attackers can access the plugin system without authentication by directly calling certain API endpoints, potentially crashing the plugin system and causing users to lose their plugin installation data, though not exposing sensitive keys. This vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 6.9, which is considered medium severity.
CVE-2026-21523 is a time-of-check time-of-use (TOCTOU) race condition (a vulnerability where an attacker exploits the gap between when a system checks permissions and when it uses a resource) in GitHub Copilot and Visual Studio that allows an authorized attacker to execute code over a network. The vulnerability has not yet received a CVSS severity rating from NIST.
CVE-2026-21518 is a command injection vulnerability (a flaw where attackers can insert malicious commands into user input) in GitHub Copilot and Visual Studio Code that allows an unauthorized attacker to bypass security features over a network. The vulnerability stems from improper handling of special characters in commands. No CVSS severity score (a 0-10 rating of how serious a vulnerability is) has been assigned yet by NIST.
GitHub Copilot contains a command injection vulnerability (CVE-2026-21516), which is a flaw where special characters in user input are not properly filtered, allowing an attacker to execute code remotely on a system. The vulnerability was reported by Microsoft Corporation and has a CVSS score pending assessment.
CVE-2026-21257 is a command injection vulnerability (a flaw where attackers can insert malicious commands into an application) found in GitHub Copilot and Visual Studio that allows an authorized attacker to gain elevated privileges over a network. The vulnerability stems from improper handling of special characters in commands. As of the source date, a CVSS severity score (a 0-10 rating of how severe a vulnerability is) had not yet been assigned by NIST.
Fix: Update to Skill-scanner version 1.0.2 or later, which contains the fix for this vulnerability.
GitHub Advisory DatabaseFix: Upgrade to openclaw version 2026.2.3 or later. If you do not use the Slack integration, no action is required.
GitHub Advisory DatabaseFix: Update to OpenClaw version 2026.2.12 or later. The fix includes: rejecting the `sessionKey` parameter by default unless explicitly enabled with `hooks.allowRequestSessionKey=true`, adding a `hooks.defaultSessionKey` option for fixed routing, and adding `hooks.allowedSessionKeyPrefixes` to restrict which session keys can be used. The recommended secure configuration disables `allowRequestSessionKey`, sets `defaultSessionKey` to "hook:ingress", and restricts prefixes to ["hook:"].
GitHub Advisory DatabaseFix: Agents-sdk users should upgrade to agents@0.3.10. Developers using configureOAuthCallback with custom error handling should ensure all user-controlled input is escaped (converted to safe text that won't be interpreted as code) before being inserted into HTML. See PR: https://github.com/cloudflare/agents/pull/841
GitHub Advisory DatabaseFix: Update to Milvus version 2.5.27 or 2.6.10, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Fixed in version 2.5.
NVD/CVE DatabaseFix: Agents-sdk users should upgrade to agents@0.3.10. Developers using configureOAuthCallback with custom error handling should ensure all user-controlled input is escaped (converted to safe text that won't be interpreted as code) before interpolation (inserting it into the HTML). A patch is available at PR https://github.com/cloudflare/agents/pull/841.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 4.14.7. Update FastGPT to version 4.14.7 or later.
NVD/CVE DatabaseApple's iOS, macOS, tvOS, watchOS, and visionOS contain a buffer overflow vulnerability (a flaw where code writes data beyond the intended memory boundaries), which could allow an attacker with memory write access to run arbitrary code (any instructions they choose). This vulnerability is currently being actively exploited by attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Refer to Apple's support pages (https://support.apple.com/en-us/126346, https://support.apple.com/en-us/126348, https://support.apple.com/en-us/126351, https://support.apple.com/en-us/126352, https://support.apple.com/en-us/126353) for specific patch or mitigation details.
CISA Known Exploited VulnerabilitiesMicrosoft Configuration Manager has an SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands), allowing unauthenticated attackers to send malicious requests that could let them execute commands on the server or database. This vulnerability is currently being actively exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Update LangChain to version 1.1.14 or later, which fixes this vulnerability.
NVD/CVE DatabaseFix: Update LangChain to version 1.2.11 or later. The vulnerability is fixed in 1.2.11.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 4.14.5-fix. Users should upgrade to this patched version.
NVD/CVE Database