Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Open WebUI's file batch processing endpoint lacks an ownership check, allowing any authenticated user to overwrite files in shared knowledge bases by knowing their IDs. An attacker can then poison the RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) system, causing the LLM to serve the attacker's malicious content to other users.
Fix: Add an ownership verification check before writing files. The source suggests this code: for file in form_data.files: db_file = Files.get_file_by_id(file.id) if not db_file or (db_file.user_id != user.id and user.role != "admin"): file_errors.append(BatchProcessFilesResult( file_id=file.id, status="failed", error="Permission denied: not file owner", )) continue This verifies that only the file's owner or an admin can modify it before the write operation proceeds.
GitHub Advisory DatabaseOpen WebUI's speech-to-text endpoint has a path traversal vulnerability where an authenticated user can craft a malicious filename to trigger an error that leaks the server's absolute file path. The vulnerability exists because the code doesn't sanitize the filename before using it in a file operation, unlike similar upload handlers elsewhere in the codebase.
AI Code has a feature that automatically runs terminal commands (direct instructions to a computer's operating system) if it thinks they're safe, but an attacker can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user approval.
A path traversal vulnerability (a security flaw where attackers manipulate file paths to access files they shouldn't) exists in the awesome-llm-apps project's Beifong AI News and Podcast Agent backend. An unauthenticated attacker can exploit this weakness in the stream-audio endpoint to read arbitrary files from the server, potentially exposing sensitive data like configuration files and credentials.
OpenHands, a software tool for AI-driven development, has a command injection vulnerability (a security flaw where untrusted input is directly executed as commands) in versions 1.5.0 and later. The vulnerability exists in the git handling code, where user input is passed directly to shell commands without filtering, allowing authenticated attackers to run arbitrary commands in the agent's sandbox environment, bypassing the normal oversight channels.
vLLM (a tool that runs and serves large language models) has a vulnerability in versions 0.10.1 through 0.17.x where two model files ignore a user's security setting that disables remote code execution (the ability to run code from outside sources). This means attackers could run malicious code through model repositories even when the user explicitly turned off that capability.
OpenClaw has a symlink traversal vulnerability (symlink: a file that points to another file) in two API handlers (`agents.create` and `agents.update`) that use `fs.appendFile` to write to an `IDENTITY.md` file without checking if it's a symlink. An attacker can place a symlink in the agent workspace pointing to a sensitive system file (like `/etc/crontab`), and when these handlers run, they will append attacker-controlled content to that sensitive file, potentially allowing remote code execution. This is an incomplete fix for CVE-2026-32013, which only patched two other handlers but missed these two.
PinchTab v0.8.4, a tool that lets AI agents control Chrome browsers through an HTTP server, has a command injection vulnerability on Windows where attackers can run arbitrary PowerShell commands if they have administrative access to the server's API. The vulnerability exists because the cleanup routine doesn't properly escape PowerShell metacharacters (special characters that PowerShell interprets as commands) when building cleanup commands from profile names.
PinchTab is an HTTP server that allows AI agents to control a Chrome browser, but versions 0.8.3 through 0.8.5 have a security flaw where two endpoints (POST /wait and POST /tabs/{id}/wait) can execute arbitrary JavaScript (run code of an attacker's choice in the browser) even when JavaScript evaluation is disabled by the operator. Unlike the properly protected POST /evaluate endpoint, these vulnerable endpoints don't check the security policy before running user-provided code, though an attacker still needs valid authentication credentials to exploit it.
PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome browser, but versions 0.7.7 through 0.8.4 had incomplete protections against brute-force attacks (rapid repeated requests) on endpoints that check authentication tokens. The middleware (software layer that filters requests) designed to limit requests per IP address was either not activated or had flaws like trusting client-controlled headers, making it easier for attackers to guess weak passwords if they could reach the API.
PinchTab, an HTTP server that lets AI agents control Chrome browsers, had a vulnerability in versions 0.7.8 through 0.8.3 where API tokens (credentials that prove you're authorized to use the service) could be passed as URL query parameters, making them visible in logs and browser history instead of being kept private in secure headers. This exposed sensitive credentials to intermediary systems that record full URLs, though it only affected deployments that actually used this method of passing tokens.
PinchTab v0.8.3, a tool that lets AI agents control Chrome browsers through an HTTP server, has a server-side request forgery vulnerability (SSRF, where the server can be tricked into making requests to unintended targets) in its optional webhook system. When tasks are submitted with a user-controlled callback URL, the server sends an HTTP request to that URL without properly validating it, allowing attackers to make the server send requests to private or internal network addresses.
Android Canvas WebView pages (web content displayed inside an Android app) from untrusted sources could call the JavascriptInterface bridge (a connection that lets web code run native app commands), allowing attackers to inject malicious instructions into the app. The vulnerability was fixed by validating the origin (where the web content comes from) before allowing bridge calls.
A prototype pollution vulnerability (a type of attack that modifies how objects are created in JavaScript) in n8n's GSuiteAdmin node allows authenticated users to execute arbitrary code on the n8n server by crafting malicious workflow parameters. An attacker with permission to create or modify workflows could exploit this to gain control over the entire n8n instance.
BentoML has a command injection vulnerability in the `docker.system_packages` field of bentofile.yaml (a configuration file). User-provided package names are inserted directly into Docker build commands without sanitization, allowing attackers to execute arbitrary shell commands as root during the image build process. This affects all versions supporting this feature, including version 1.4.36.
n8n's Source Control feature, when configured to use SSH (a secure network protocol), disabled host key verification, meaning it didn't confirm the identity of the Git server it was connecting to. An attacker on the network could trick n8n into connecting to a fake server and inject malicious code into workflows or steal repository data.
n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.
Fix: The source recommends two fixes: (1) sanitize the file extension using `Path(file.filename).name` and `Path(safe_name).suffix.lstrip(".")` instead of the current `split(".")[-1]` approach, and (2) suppress the internal path from error responses by catching exceptions and returning a generic error message ("Transcription failed") instead of returning the full exception details.
GitHub Advisory DatabaseA Dutch court has ordered Elon Musk's xAI and its chatbot Grok to stop creating non-consensual AI-generated sexual images of adults and children, with daily fines of 100,000 euros for non-compliance. The ruling came after the non-profit Offlimits reported that Grok generated an estimated three million sexualized images in about two weeks, including over 23,000 depicting children, and found that xAI's previous restrictions on creating such images were easily bypassed. The case adds to mounting legal pressure on xAI, with investigations underway in Europe and lawsuits filed in the United States.
Fix: xAI moved to block Grok from being able to create sexualized images of real people on X in January, with the restriction applying to all users, including paid subscribers. However, the source explicitly states this measure was found insufficient by the court, as Offlimits demonstrated the restrictions were easily bypassed.
CNBC TechnologyFix: Update to version 1.5.0, which fixes the issue.
NVD/CVE DatabaseFix: Upgrade to version 0.18.0, which patches the issue.
NVD/CVE DatabaseF5 BIG-IP APM (a network access management tool) contains an unspecified vulnerability that allows attackers to achieve remote code execution (the ability to run commands on a system they don't own). This vulnerability is actively being exploited by real attackers in the wild, making it an urgent security concern.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. Consult F5's official guidelines and the referenced knowledge base articles at https://my.f5.com/manage/s/article/K000156741, https://my.f5.com/manage/s/article/K000160486, and https://my.f5.com/manage/s/article/K11438344 to assess exposure and mitigate risks.
CISA Known Exploited VulnerabilitiesFix: Version 0.8.5 contains a patch for the issue.
NVD/CVE DatabaseFix: The source states that 'the current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes.' However, the source explicitly notes 'as of time of publication, a patched version is not yet available.'
NVD/CVE DatabaseFix: This was fully addressed in v0.8.5 by applying RateLimitMiddleware in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the /health and /metrics exemption so auth-checkable endpoints are throttled as well.
NVD/CVE DatabaseFix: This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.
NVD/CVE DatabaseFix: This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating callbackUrl during task submission.
NVD/CVE DatabaseFix: Update to version 2026.3.22 or later. The fix validates page origin and rejects untrusted bridge calls, with trusted origin and path validation now centralized in CanvasActionTrust.kt.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The source text suggests two explicit fixes: (1) Input validation (recommended): Add a regex validator to `system_packages` in `build_config.py` that only allows alphanumeric characters, dots, plus signs, hyphens, underscores, and colons. (2) Output escaping: Apply `shlex.quote()` to each package name before interpolation in `images.py:system_packages()` and apply the `bash_quote` Jinja2 filter in `base_debian.j2`. The source notes that a `bash_quote` filter already exists in the codebase but is only currently applied to environment variables, not `system_packages`.
GitHub Advisory DatabaseAquasecurity Trivy, a container scanning tool, has embedded malicious code that could let attackers steal sensitive information from CI/CD environments (the automated systems that build and deploy software), including security tokens, SSH keys (authentication credentials for servers), cloud login information, database passwords, and other secrets stored in memory. This is a supply-chain compromise (malicious code inserted into a software product before distribution) and is currently being exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Additional vendor-provided guidance must be followed to ensure full remediation. See GitHub advisory GHSA-69fq-xp46-6x23 and NVD entry CVE-2026-33634 for more information.
CISA Known Exploited VulnerabilitiesFix: The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily disable the Source Control feature if not actively required, or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n access to fully trusted users only or disable external secrets integration until the patch can be applied, though these workarounds do not fully remediate the risk.
GitHub Advisory Database