Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Claude Desktop for Windows had a security flaw in versions before 1.3834.0 where the CoworkVMService component (a background service running with high system privileges) did not properly check if directories were real folders or directory junctions (shortcuts that point to other locations) before creating files in them. An attacker with basic user access could trick this service into creating files in any location on the computer, potentially allowing them to gain administrator-level control of the system.
Fix: Update Claude Desktop to version 1.3834.0 or later, which includes a fix for this vulnerability.
NVD/CVE DatabaseThe Claude Desktop app's SSH remote development feature (versions 1.2581.0 to before 1.4304.0) had a security flaw where it only checked if a hostname was in the ~/.ssh/known_hosts file without verifying that the server's actual host key matched the stored one. This allowed a network attacker (someone who could intercept traffic through methods like ARP spoofing or rogue Wi-Fi) to perform a man-in-the-middle attack (secretly intercepting and potentially altering communications between two parties) on remote development sessions, as long as the hostname was already in the victim's known_hosts file.
LangSmith SDK (a tool for managing prompts in LangChain applications) had a vulnerability where pulling public prompts by owner/name would deserialize (convert from stored format into executable code) untrusted manifest files without warning users about the trust risk. An attacker could publish a malicious prompt that, when pulled and deserialized, would execute with attacker-controlled settings, potentially redirecting API requests to steal secrets or injecting malicious instructions into the AI's behavior.
OpenAI discovered that two employee devices were compromised by malware hidden in a TanStack npm package (a JavaScript library downloaded from an online repository) as part of a broader supply chain attack called Mini Shai-Hulud. The attackers gained limited access to internal source code repositories and exfiltrated some credentials, but OpenAI found no evidence that customer data, production systems, or intellectual property were compromised. OpenAI responded by isolating affected systems, revoking credentials, rotating code-signing certificates (the digital signatures that verify software is authentic), and working with platform providers to prevent misuse of the compromised certificates.
nnU-Net (a framework for automatically analyzing and segmenting images) had a vulnerability in its GitHub workflow where untrusted user input from issue titles and descriptions were sent directly to an AI agent without proper filtering. This allowed attackers to trick the AI agent into performing unintended actions like commenting on or relabeling issues, since the workflow ran automatically whenever someone opened an issue.
CVE-2026-42893 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting how special characters are handled) in Microsoft 365 Copilot that allows an unauthorized attacker to tamper with data over a network. The vulnerability has a CVSS 4.0 severity rating (a moderate score on the 0-10 vulnerability severity scale). This issue was reported by Microsoft Corporation and published in May 2026.
Langflow (a tool for building AI-powered agents and workflows) has a path traversal vulnerability (a security flaw where attackers manipulate file paths to access files outside intended boundaries) in its Knowledge Bases API that allows authenticated attackers to delete arbitrary directories on the server by exploiting improper handling of knowledge base names. This flaw can cause data loss and service disruption.
CVE-2026-41614 is a vulnerability in Microsoft 365 Copilot for Desktop caused by improper access control (a weakness where the software fails to properly restrict who can do what), allowing an unauthorized attacker to perform spoofing (making something appear to come from someone else) on a local computer. The vulnerability has a CVSS 4.0 severity rating, though a full assessment from NIST has not yet been provided.
CVE-2026-41109 is a security flaw in GitHub Copilot and Visual Studio that allows an attacker to bypass a security feature by improperly handling special characters in output, which are then processed by another component (injection, where untrusted data is inserted into code or commands). The vulnerability can be exploited over a network by unauthorized attackers.
CVE-2026-41100 is a vulnerability in Microsoft 365 Copilot where improper access control (weak rules that don't properly check who should be allowed to do something) allows an authorized attacker to perform spoofing (impersonating someone or something else) on a local system. The vulnerability has a CVSS 4.0 severity rating (a moderate security concern on a 0-10 scale).
CVE-2026-33833 is a vulnerability in Azure Machine Learning where special characters in output are not properly filtered before being used by another component, allowing an attacker to perform spoofing (pretending to be someone or something else) over a network. The vulnerability has a CVSS score (a 0-10 severity rating) of 4.0, indicating moderate severity. This type of flaw is known as an injection vulnerability (CWE-74), where untrusted data can be used to manipulate downstream processes.
The mamba language model framework (versions up to 2.2.6) has a vulnerability in how it loads pre-trained models from HuggingFace Hub (a platform where AI models are shared). When loading models, it uses an unsafe method called torch.load() without the weights_only=True security parameter, which allows attackers to sneak malicious code into model files. An attacker could upload a compromised model to HuggingFace Hub, and when someone downloads and loads it, the attacker's code runs on their computer.
The Ludwig framework (a machine learning tool) versions up to 0.10.4 has a vulnerability where it unsafely loads model files using a method that can execute arbitrary code. When someone runs the ludwig serve command to host a model, an attacker can provide a malicious model file that tricks the system into running their code, potentially taking over the server.
The CosyVoice project has an insecure deserialization vulnerability (CWE-502, a weakness where untrusted data is converted back into executable objects) in how it loads model files. When users load model files (.pt files, which are PyTorch model formats) from a directory they specify, the code uses torch.load() without security protections, allowing attackers to execute arbitrary code by hiding malicious instructions in crafted model files that get executed when loaded.
The Adversarial Robustness Toolbox (ART) up to version 1.20.1 has a vulnerability in its Kubeflow component where it uses eval() (a function that runs text as if it were code) unsafely to process command-line arguments like --clip_values and --input_shape. An attacker can inject malicious Python code through these arguments, which will execute when eval() processes them, potentially giving the attacker full control over the system running ART if they can control those arguments.
The Adversarial Robustness Toolbox (ART) version 1.20.1 and earlier has a vulnerability in how it loads AI model files, specifically in its Kubeflow component (a system for running machine learning workflows). When loading model weights using torch.load() without the weights_only=True security parameter, the software deserializes arbitrary Python objects via Pickle (a Python serialization library), allowing attackers to execute malicious code by uploading a crafted model file or manipulating the model location parameter.
JunoClaw, an AI platform built on Juno Network, had a security flaw in its WAVS bridge where the computeDataVerify function would fetch data from URLs supplied by AI agents without properly checking if those URLs were safe (SSRF, or server-side request forgery, meaning an attacker could trick the system into making requests to internal or unintended servers). This vulnerability allowed attackers to potentially access restricted resources by manipulating which URLs the system would contact.
CVE-2026-43992 is a vulnerability in JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network. Before version 0.x.y-security-1, the platform's MCP write tools (functions that send tokens or execute contracts) required users to provide a BIP-39 seed (a cryptographic key used to generate wallet credentials) as a plain text parameter, which exposed this sensitive information to logs, telemetry, and other systems between the AI provider and the MCP process.
JunoClaw is an agentic AI platform (a system where AI makes decisions and takes actions automatically) built on Juno Network that had a security flaw in its plugin-shell's command-safety check prior to version 0.x.y-security-1. The vulnerability allowed attackers to bypass the substring-based blocklist (a filter that blocks certain text patterns) by crafting tricky command arguments, which could lead to unauthorized command execution on the host system. The flaw occurred because the safety check looked at the raw command string instead of just the first parsed token (the initial instruction).
JunoClaw, an agentic AI platform (a system where AI agents can perform tasks autonomously) built on Juno Network, had a vulnerability in its plugin-shell component where commands supplied by agents were wrapped in shell interpreters without proper sanitization. This allowed shell metacharacters (special characters like pipes or semicolons that have meaning to the shell) in agent-supplied arguments to be interpreted as actual commands rather than plain text, potentially letting attackers run unintended commands. The vulnerability was fixed in version 0.x.y-security-1.
Fix: Update Claude Desktop to version 1.4304.0 or later.
NVD/CVE DatabaseFix: Upgrade to LangSmith SDK Python >= 0.8.0 or JS/TS >= 0.6.0. The updated SDK now blocks pulling public prompts by `owner/name` by default and requires callers to explicitly pass `dangerously_pull_public_prompt=True` (Python) or `dangerouslyPullPublicPrompt: true` (JavaScript/TypeScript) to acknowledge the trust boundary risk. This flag should only be set after reviewing and trusting the actual prompt contents, not just the publishing account.
GitHub Advisory DatabaseFix: OpenAI's explicit mitigation steps included: isolating impacted systems and identities, revoking user sessions, rotating all credentials across impacted repositories, temporarily restricting code-deployment workflows, rotating code-signing certificates for iOS, macOS, and Windows products, coordinating with platform providers to prevent unauthorized notarizations (digital certifications of software), and reviewing all previous notarizations to confirm no unauthorized software signing occurred. macOS users are required to update their applications once the certificate is fully revoked on June 12, 2026, after which macOS security protections will block new downloads and launches of apps signed with the previous certificate. Additionally, OpenAI accelerated deployment of security controls including hardened credential materials in their CI/CD pipeline (continuous integration/continuous deployment, the automated system for building and releasing software), package manager configurations with controls like minimumReleaseAge, and additional security software to validate package origins.
OpenAI BlogFix: This vulnerability is fixed in version 2.4.1.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.9.0. Users should upgrade Langflow to 1.9.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.x.y-security-1. Users should upgrade to this patched version.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.x.y-security-1. Users should upgrade to this version.
NVD/CVE DatabaseFix: Update to version 0.x.y-security-1 or later, which fixes the vulnerability.
NVD/CVE DatabaseFix: Update JunoClaw to version 0.x.y-security-1 or later, where this vulnerability is fixed.
NVD/CVE Database