Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
OpenTelemetry eBPF Instrumentation (OBI) exports unfiltered error messages from Redis directly into span status messages, which are then sent to telemetry backends (systems that collect and store trace data). This means sensitive information like tokens or passwords that appear in Redis errors could be leaked into monitoring systems, and attackers could inject malicious text into these systems.
OpenTelemetry eBPF Instrumentation (OBI) has a vulnerability where its ELF parser (a tool that reads executable file formats) blindly trusts offsets and metadata from binary files without checking if they're valid. A malicious or corrupted executable can cause OBI to crash when it tries to analyze what programming language a process uses, disrupting monitoring for other applications on the system.
Three Mistral AI npm packages (@mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp) were compromised in a supply chain attack (where malicious code is inserted into legitimate software dependencies) between May 11-12. However, the malicious code, called a dropper (a program designed to download and execute harmful payloads), was broken and failed to run because it referenced the wrong filename. The affected versions have been removed from npm.
Version 2.4.6 of the mistralai package on PyPI contained malicious code that runs when the package is imported on Linux systems. The malicious code downloads and executes a file from a remote server, and versions 2.4.5 and earlier are not affected.
In n8n-mcp (a tool that bridges AI agents to n8n workflow automation) running in multi-tenant mode, requests missing tenant identification headers would fall back to using the operator's own n8n credentials, allowing an authenticated tenant to access or modify the operator's workflows and data instead of their own. This only affects shared multi-tenant deployments, not single-tenant setups.
ChromaDB (a Python project for storing AI embeddings) versions 1.0.0 and later contain a code injection vulnerability that lets unauthenticated attackers run arbitrary code on the server by sending a malicious model repository with a specific setting enabled to a particular API endpoint. The vulnerability has a CVSS score (a 0-10 severity rating) of 10.0, marking it as critical.
A path traversal vulnerability (a type of attack where an attacker manipulates file paths to access files outside the intended directory) was found in fishaudio Bert-VITS2, specifically in the generate_config function of the Gradio Interface (a web-based tool for interacting with AI models). The vulnerability can be triggered remotely by manipulating the data_dir argument, and the exploit is now publicly known.
Open WebUI, a self-hosted AI platform that runs offline, had a security flaw in versions before 0.9.5 where it only checked the first URL a user submitted but didn't check where that URL redirected to (HTTP redirects are automatic forwards to different addresses). This meant authenticated users could trick the system into accessing internal addresses like 127.0.0.1 or 169.254.169.254 (special private IP addresses) and read sensitive data from those internal systems.
Open WebUI, a self-hosted AI platform that runs offline, had a vulnerability before version 0.9.0 where certain API endpoints (like /api/generate and /api/embeddings) accepted any model name from users and sent requests to the backend without checking if those users had permission to use that model. The endpoints only verified that a user was logged in and that the model existed, but skipped the access control check (AccessGrants.has_access(), which determines what resources a user is allowed to access).
Open WebUI, a self-hosted AI platform that runs offline, had a security flaw in versions before 0.9.0 where the /responses endpoint allowed any logged-in user to access any model on the system without proper permission checks. While the main chat endpoint verified that users had the right to use specific models through ownership, group membership, and access grants, the /responses proxy skipped these checks and only confirmed the user was logged in, letting attackers use models they shouldn't have access to.
Budibase's AI Extract File automation step has a server-side request forgery vulnerability (SSRF, a type of attack where a server makes requests to internal addresses it shouldn't access) because it uses `fetch()` directly without IP blacklist validation. Every other automation step in the same codebase properly uses `fetchWithBlacklist()` to block requests to internal networks like 127.0.0.1 and 169.254.169.254, but the AI step bypasses these protections, allowing authenticated users to access cloud metadata, scan internal networks, and potentially steal credentials.
Microsoft APM is a tool that manages dependencies for AI agents, and versions before 0.13.0 have a security flaw on Windows systems. When installing a bundle (a package of code) from a .tar.gz file (a compressed archive format), the tool extracts files without properly checking if any file paths could escape the intended folder, potentially allowing an attacker to place files anywhere on the system by using absolute paths like D:/.
Microsoft APM, a dependency manager for AI agents, had a vulnerability in versions 0.5.4 to 0.12.4 where symbolic links (shortcuts that point to other files) in downloaded packages were followed without checking, potentially allowing attackers to read or write arbitrary files on a developer's machine. The vulnerability went undetected by security checks because the resulting files were not flagged by the package hash verification, security scans, or audit tools.
Microsoft APM is a tool that manages dependencies (external code libraries) for AI agents. Before version 0.8.12, it had a path traversal vulnerability (a security flaw where an attacker can access files outside the intended directory) that allowed malicious plugins to copy arbitrary files from a user's computer during installation by using absolute paths or '../' sequences to escape the plugin directory.
Pipecat's development runner has a path traversal vulnerability (a flaw that lets attackers access files outside the intended directory) in its `/files` endpoint. An attacker can use URL-encoded slashes (`%2F` instead of `/`) to bypass Starlette's (the web framework) security checks and read any file accessible to the Pipecat process, such as SSH keys or system files, without needing credentials.
MLflow (an open-source platform for managing machine learning workflows) versions 3.9.0 and earlier have a security flaw where certain API endpoints don't require authentication even when the server is set up with authentication enabled. This happens because the authentication check only protects `/gateway/` routes, leaving other endpoints like the Job API and trace ingestion API unprotected, allowing attackers to submit jobs, view results, and inject fake data without logging in.
libyang is a library for working with YANG (a data modeling language used in network configuration). Before version 5.2.15, the lyb_read_string() function had an integer overflow vulnerability (where a number calculation wraps around and causes unexpected behavior), which could lead to a heap buffer overflow (writing data past the end of allocated memory) when processing malicious LYB binary data. An attacker who can send LYB data to systems using libyang could crash the program or corrupt memory.
A vulnerability in the python-utcp library exposed all environment variables (including secrets like API keys and database passwords) to subprocesses because the `_prepare_environment()` function copied the entire host environment. When combined with a command injection flaw (CWE-78, where an attacker can sneak malicious commands into tool arguments), an attacker could steal sensitive credentials like AWS keys, database connection strings, and LLM API keys in a single tool call.
The @utcp/http package has a Server-Side Request Forgery vulnerability (SSRF, a bug that tricks a server into making requests to internal networks it shouldn't access) because it doesn't properly check URLs when converting OpenAPI specifications (a standard format for describing APIs). An attacker can host a malicious OpenAPI spec that declares internal server addresses like 127.0.0.1 or cloud metadata endpoints, allowing them to read sensitive credentials or reach internal services. The vulnerability affects versions 1.1.1 and earlier.
DeepSeek TUI has a security flaw where the `task_create` tool (which spawns sub-agents that perform work independently) defaults to allowing shell access (`allow_shell=true`) and auto-approving commands (`auto_approve=true`) without explicit user permission. An attacker can hide malicious instructions in project files, and when a user approves what looks like a simple task (like 'fix TODOs'), the spawned sub-agent silently executes the attacker's shell commands with no additional approval prompt.
Fix: 1. Stop using the affected package versions immediately (2.2.2, 2.2.3, 2.2.4 for @mistralai/mistralai; 1.7.1, 1.7.2, 1.7.3 for @mistralai/mistralai-azure and @mistralai/mistralai-gcp). 2. Clean systems where these packages were installed. Check your installed versions using 'npm ls' or by searching your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock) for the affected version numbers. Also check build artifacts, container images, and package caches for the malicious files: router_init.js, tanstack_runner.js, or @tanstack/setup package.json.
GitHub Advisory DatabaseFix: Pin mistralai to version 2.4.5 or earlier. The source text states: 'Pin mistralai to 2.4.5 or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. git+https://github.com/mistralai/client-python.git@v2.4.5.' Additionally, on affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward.
GitHub Advisory DatabaseFix: Fixed in n8n-mcp 2.51.2. The fix rejects requests without proper tenant headers at the HTTP edge with a 400 error before processing, prevents the system from using fallback operator credentials when in multi-tenant mode, and blocks secondary leaks in health checks and other handlers. Upgrade via 'npx n8n-mcp@latest' (NPM) or 'docker pull ghcr.io/czlonkowski/n8n-mcp:latest' (Docker). Workarounds if upgrading immediately is not possible: disable multi-tenant mode and run separate instances per tenant, use a proxy to reject requests missing both tenant headers, or restrict the operator API key to minimum required permissions if your n8n supports scoping (Enterprise or compatible Community Edition builds).
GitHub Advisory DatabaseFix: This vulnerability is fixed in 0.9.5.
NVD/CVE DatabaseFix: The vulnerability is fixed in version 0.9.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in 0.9.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.13.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.13.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.8.12. Users should update Microsoft APM to 0.8.12 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 3.10.0. Users should upgrade mlflow to version 3.10.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in SO 5.2.15. Update libyang to version 5.2.15 or later.
NVD/CVE DatabaseFix: Upgrade to utcp-cli version 1.1.2 or later. The patch changes `_prepare_environment()` to use a controlled allowlist of environment variables instead of copying everything. Users can configure which variables are inherited via a new `CliCallTemplate.inherit_env_vars` field: set it to `null` (default, uses a safe OS-specific allowlist like PATH and HOME), `[]` (strict mode, nothing inherited), or specify exact variable names like `["FOO", "BAR"]`. Sensitive variables like `OPENAI_API_KEY` no longer reach subprocesses unless explicitly allowed.
GitHub Advisory DatabaseFix: Upgrade to @utcp/http version 1.1.2 or later. The fix adds a new security helper that validates URLs in three places: during manual discovery registration, before tool invocation, and when converting OpenAPI specs. It also fixes a prefix-bypass bug by using proper hostname-based validation instead of simple text matching. If you cannot upgrade immediately, the source lists these workarounds: do not call registerManual() with URLs controlled by untrusted parties, and restrict outbound network access from the agent host so internal addresses (RFC1918 ranges, 169.254.0.0/16, and loopback addresses) cannot be reached.
GitHub Advisory DatabaseFix: The source text provides explicit mitigations: (1) Change `config.rs:1499` to default `allow_shell` to `false` instead of `true` by replacing `self.allow_shell.unwrap_or(true)` with `self.allow_shell.unwrap_or(false)`. (2) Change `task_manager.rs:297` to default `auto_approve` to `None` instead of `Some(true)`, so it does not inherit the session setting. (3) When the model requests `task_create` with `allow_shell=true`, display that fact in the approval prompt so the user knows they are granting shell access.
GitHub Advisory Database