Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Coder's Azure identity verification has a critical flaw: it checks that a certificate comes from a trusted Azure authority but never verifies the actual PKCS#7 signature (a cryptographic stamp that proves data hasn't been tampered with). An attacker can forge identity data and steal session tokens that grant access to Git keys, OAuth tokens, and secrets. All Coder v2 versions are affected.
Fix: Update to patched versions: v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, or v2.24.5. If unable to patch immediately, reconfigure Azure templates to use token authentication instead of azure-instance-identity by setting coder_agent.auth to 'token' and adding CODER_AGENT_TOKEN=${coder_agent.main.token} to environment variables.
GitHub Advisory DatabasePenPot's MCP REPL server binds to all network interfaces (0.0.0.0:4403) and exposes an unauthenticated /execute endpoint that runs arbitrary JavaScript code, allowing anyone on the network to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the server listen call omits a host argument, defaulting to 0.0.0.0, and the /execute endpoint has no authentication checks before executing user-supplied code.
Coder's Azure identity endpoint was vulnerable to SSRF (server-side request forgery, where an attacker tricks a server into making requests to unintended targets) because it accepted unsigned certificates and fetched arbitrary URLs without validation. An attacker could craft a fake certificate pointing to any internal or external address, forcing the Coder server to connect to it and reveal whether the target was reachable through error messages, enabling network reconnaissance and potential attacks on internal services.
9router, a tool for managing AI plugins, has a critical vulnerability where two unprotected API endpoints can be chained together to run arbitrary OS commands. The problem occurs because the authentication middleware (a security check) only protects 8 specific routes, while 40+ routes under `/api/cli-tools/*` and `/api/mcp/*` have no protection, allowing attackers with network access to register malicious commands and then trigger them without any credentials.
A domain allowlist (list of approved websites) in the Apify Model Context Protocol server is bypassed because it uses simple string prefix matching instead of proper URL validation. An attacker can create a fake subdomain like `https://docs.apify.com.evil.com/` that passes the check, allowing the tool to fetch arbitrary content from attacker-controlled servers and return it to the AI, which can lead to prompt injection (tricking the AI by hiding instructions in fetched content) and potential account compromise.
Envoy AI Gateway has a vulnerability where it improperly parses JSON-RPC messages (a protocol for remote procedure calls) in a case-insensitive way, even though the specification requires case-sensitive matching. This allows attackers to send messages with duplicate fields using different capitalization (like 'name' and 'Name'), causing the gateway to alter and forward a different request than what was originally sent, potentially bypassing security checks in systems that use this gateway.
A security flaw in n8n (a workflow automation tool) allowed authenticated users to bypass restrictions on which websites could receive sensitive credentials, potentially exposing them. The vulnerability was in an endpoint (a URL that accepts requests) that didn't properly check the intended security rules before sending data to external servers.
The `download_media` and `auth_fetch` tools in auth-fetch-mcp accept any URL without validation, allowing an attacker (via prompt injection or a malicious MCP client) to make the server fetch from private or internal services like cloud metadata endpoints or localhost, and then exfiltrate the response data. The `download_media` tool makes this worse by saving fetched content to disk where it can be read and stolen.
An attacker published malicious code in guardrails-ai version 0.10.1 on PyPI (a package repository where developers download Python libraries), but PyPI removed it within 2 hours and found no evidence that user data was stolen through this compromise. This is an example of a supply chain attack, where someone tries to harm users by corrupting a widely-used software package.
MLflow version 3.9.0 has a vulnerability in its Assistant feature where /ajax-api endpoints don't properly validate the origin (the source website making a request). This allows an attacker on a malicious webpage to send cross-origin requests (requests from a different domain) to trick the MLflow Assistant running on a victim's computer, bypass security restrictions meant to only allow local access, and execute arbitrary commands (run any code they choose) through the Claude Code sub-agent.
MLflow versions before 3.11.0 create temporary directories with overly permissive access permissions (world-writable or group-writable), allowing local attackers to modify model files and execute arbitrary code when those files are loaded. This is especially dangerous in shared environments like Databricks where multiple users access the same network storage.
NiceGUI has a vulnerability in two routes (resource and ESM module routes) that serve files without authentication. If a request tries to access a directory instead of a file through these routes, it causes an unhandled error that writes a large traceback (around 100 lines) to the server log. An attacker can repeatedly trigger this to fill up disk space, overload logging systems, and create false alarms in monitoring without needing any special access.
NiceGUI's `ui.restructured_text()` function renders user-supplied reStructuredText using Docutils without disabling file insertion directives, allowing attackers to read local files accessible to the server using standard Docutils directives like `include` and `raw`. This vulnerability only affects applications that pass untrusted or user-controlled content to this function, not those using only static trusted strings.
OpenTelemetry eBPF Instrumentation (OBI) contains an integer overflow vulnerability in its memcached protocol parser that allows a remote attacker to crash the OBI process. When parsing memcached storage commands, the parser accepts extremely large byte values without checking if adding the delimiter length will overflow, causing a negative value that triggers a runtime panic (a sudden crash caused by an error the program cannot recover from).
Malformed MongoDB wire messages can crash the OpenTelemetry eBPF Instrumentation telemetry agent through uncaught panics in its MongoDB parser, allowing remote attackers to cause denial of service. The parser checks attacker-controlled network data without fully validating it first, so a single crafted message can stop telemetry collection until the agent restarts.
OpenTelemetry eBPF Instrumentation has a memory leak in its `CappedConcurrentHashMap` class, which is used to track Java TLS connections. When entries are deleted from the map, the keys are not removed from an internal queue, causing the queue to grow indefinitely in systems with many short-lived connections. This can eventually cause the Java process to run out of memory.
Claude HUD versions up to 0.0.12 contain a command injection vulnerability (a security flaw where an attacker can trick a program into running harmful commands) that affects Windows systems. An attacker with local access can manipulate the COMSPEC environment variable (a Windows setting that specifies which command interpreter to use) before the software checks its version, causing it to run malicious code with system permissions.
Claude HUD versions up to 0.0.12 contain a path traversal vulnerability (a flaw where attackers can access files outside intended directories by manipulating file paths) that lets attackers read any file the program can access by sending a malicious transcript_path value. Additionally, the vulnerability creates a cache file with weak permissions that records which files were accessed, leaving evidence even after the program stops running.
Claude HUD version 0.0.12 and earlier has a vulnerability where it creates terminal hyperlinks (clickable links in terminal windows) using user-controlled data without properly cleaning it first, allowing attackers to inject malicious terminal codes (ANSI codes, which control formatting and behavior in terminals) that could change text colors, fake command prompts, steal clipboard data, or redirect users to attacker-controlled websites.
OpenTelemetry eBPF Instrumentation (OBI) has a memory leak vulnerability where a CPU mismatch causes the system to use a 256-byte fallback buffer but still tries to read up to 8KB of data from it, reading beyond the buffer's boundaries and leaking adjacent memory into telemetry (data about system performance). This happens in the HTTP tracing path when context propagation is enabled and certain conditions are met.
Fix: Fixed in PR #25274 (commit 57b11d405). Upgrade to patched versions: v2.33.3, v2.32.2, v2.31.12, v2.30.8, v2.29.13, or v2.24.5 (ESR), depending on your release line.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.20.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access to fully trusted users only and limit credential sharing to users who genuinely require access to those credentials, though these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The source text describes the fix shape but does not provide an explicit implementation or version update: 'after URL parsing, resolve to IP, reject if private/loopback/link-local. Same defense as the well-known SSRF-guard pattern shipped by other MCP fetchers in the ecosystem (e.g., `Akitaroh/scraper-mcp` `src/security/url-guard.ts`).' However, no patched version, release number, or completed code fix is provided in the source.
GitHub Advisory DatabaseFix: Downgrade to guardrails-ai==0.10.0, which is unaffected. Alternatively, install from GitHub using `pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0`. If you installed 0.10.1, rotate all credentials accessible from that machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit your GitHub account for unauthorized workflows or repositories. Snowglobe and Guardrails Hub users should rotate API keys before 2:00 PM Pacific on May 13, 2026, when all existing keys will be invalidated.
GitHub Advisory DatabaseFix: Update to MLflow version 3.10.0, where this issue is resolved.
NVD/CVE DatabaseFix: Update MLflow to version 3.11.0 or later.
NVD/CVE DatabaseFix: The source mentions three workarounds for deployments unable to upgrade immediately: (1) Place NiceGUI behind a reverse proxy that rejects requests where the path after `/_nicegui/<version>/esm/<key>/` or `/_nicegui/<version>/resources/<key>/` is empty. (2) Rate-limit the `/_nicegui/` prefix at the proxy. (3) Configure log rotation aggressively for the affected service. For a permanent fix, upgrading NiceGUI is recommended, though no specific patched version is mentioned in the source.
GitHub Advisory DatabaseFix: Disable unsafe Docutils features by modifying the `publish_parts()` call in `prepare_content()` to include these `settings_overrides`: `'file_insertion_enabled': False`, `'raw_enabled': False`, and `'_disable_config': True`. This blocks the `include`, `csv-table :file:`, and `raw :file:` directives as well as local `docutils.conf` overrides.
GitHub Advisory DatabaseFix: The bounds-check panics affecting versions v0.1.0 through v0.3.0 were fixed by commit `3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb` (`Fix MongoDB client panic`), which first appears in release `v0.4.0`. However, the unchecked BSON type assertion panic affecting versions v0.1.0 through v0.8.0 remains unfixed as of the advisory date.
GitHub Advisory DatabaseFix: The vulnerability was patched in commit 234d9aa. Users should update to a version after 0.0.12 that includes this patch.
NVD/CVE DatabaseFix: The vulnerability was patched in commit 234d9aa. Users should update to a version containing this commit or later.
NVD/CVE DatabaseFix: Patched in commit 234d9aa.
NVD/CVE Database