Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
QnABot on AWS (a conversational AI tool built with Amazon Lex and other AWS services) has a vulnerability where administrators can run arbitrary code (unintended commands) by exploiting improper use of the static-eval npm package through the Content Designer interface, potentially giving them access to sensitive backend resources like databases and environment variables that should be protected.
A vulnerability was found in vllm (a language model serving framework) up to version 0.19.0 in the has_mamba_layers function, which can result in uninitialized resource (memory that hasn't been set to a known value before use). An attacker can trigger this flaw remotely, though the attack is difficult to execute and requires high complexity.
A vulnerability (CVE-2026-7061) was found in Toowiredd chatgpt-mcp-server version 0.1.0 that allows OS command injection (running unauthorized system commands on a server through malicious input) in the MCP/HTTP component. The flaw can be exploited remotely by attackers, and public exploit code is already available, but the developers have not yet responded to the security report.
A security flaw called CVE-2026-7020 was found in Ollama versions up to 0.20.2 that allows path traversal (an attack where someone manipulates file paths to access files they shouldn't be able to reach) through the digestToPath function in the Tensor Model Transfer Handler component. An attacker can exploit this remotely, though it requires high complexity to perform, and the vulnerability details have been released publicly.
LiteLLM had a security flaw in two test endpoints (`POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list`) that allowed authenticated users to run arbitrary commands on the server. These endpoints accepted server configurations including command and arguments, and would execute them as subprocesses with the proxy's privileges, even for users with low-level permissions.
LangChain (a framework for building AI agents and applications powered by large language models) versions before 1.1.14 had a TOCTOU vulnerability (time-of-check-time-of-use, where a security check and an action happen at different times with a gap in between) in its image token counting feature. An attacker could trick the system by making a hostname first resolve to a safe public IP address during a security check, then resolve to a private or localhost IP address during the actual network request, bypassing security protections.
LangChain's HTMLHeaderTextSplitter had a security flaw where it validated URLs initially but then followed redirects (automatic forwarding to different URLs) without rechecking them, allowing attackers to redirect requests to internal or sensitive servers and potentially leak data. This SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended locations) was fixed in version 1.1.2.
Gemini CLI had two security vulnerabilities that could allow remote code execution (running malicious code on a system). First, in headless mode (non-interactive environments like CI/CD pipelines), the tool automatically trusted workspace folders and loaded configuration files without verification, which could be exploited through malicious environment variables. Second, the `--yolo` flag bypassed tool allowlisting (restrictions on what commands can run), allowing unrestricted command execution via prompt injection (tricking the AI by hiding instructions in its input). Version 0.39.1 and later now require explicit folder trust and enforce tool allowlisting even in `--yolo` mode.
This item describes a prompt injection vulnerability (tricking an AI by hiding malicious instructions in its input) in k8sGPT-Operator, a tool that helps manage Kubernetes clusters (container orchestration systems). The content explains the framework for measuring vulnerability severity through metrics like attack complexity and potential impact, but does not provide specific details about the vulnerability itself or how it works.
Claude Code had a security flaw where it checked a git worktree (a Git feature allowing multiple branch checkouts in separate directories) `commondir` file to decide if a folder was trustworthy, but didn't verify the file's contents. An attacker could create a malicious repository with a fake `commondir` file pointing to a folder the victim had previously trusted, tricking Claude Code into skipping its safety dialog and running malicious code from `.claude/settings.json` (a configuration file). This attack required the victim to clone the malicious repository and open it in Claude Code, and the attacker had to know a path the victim had already marked as safe.
LiteLLM's proxy API key verification has a SQL injection vulnerability (a type of attack where an attacker inserts malicious database commands into input fields). An unauthenticated attacker could send a specially crafted authorization header to exploit this flaw and potentially read or modify the proxy's database, gaining unauthorized access to stored credentials.
Ray Data registers custom Arrow extension types (special data format handlers) globally in PyArrow, and when PyArrow reads a Parquet file (a data storage format) containing these types, it automatically deserializes metadata bytes using cloudpickle.loads(), which can execute arbitrary code. This vulnerability was reintroduced in July 2025 after a similar issue was supposedly fixed in May 2024, allowing attackers to run malicious code just by having Ray read a specially crafted Parquet file.
LiteLLM Proxy had a server-side template injection vulnerability (a security flaw where user input is processed as code rather than plain text) in its `/prompts/test` endpoint that allowed authenticated users to run arbitrary code within the proxy process and potentially access sensitive information like API keys or database credentials. The vulnerability affects any deployment running an affected version of LiteLLM Proxy.
The BetterDocs plugin for WordPress (versions up to 4.3.11) has a security flaw where the generate_openai_content_callback() function checks for a nonce (a security token that verifies a request is legitimate) but doesn't verify that the user has permission to perform the action. This allows any authenticated user with subscriber-level access or higher to make the plugin call OpenAI's AI service using the site owner's API key and paid quota, even though they shouldn't have that permission.
AnythingLLM, an application that lets LLMs reference external documents during conversations, has a security flaw in versions before 1.12.1 where chart captions aren't properly filtered for malicious code. An attacker can inject harmful instructions (prompt injection, where hidden commands are slipped into LLM inputs) through shared documents or chart records to execute XSS (cross-site scripting, code that runs in other users' browsers without permission) when those users view the conversation.
Flowise, a tool with a drag-and-drop interface for building customized AI workflows, has a vulnerability in versions before 3.1.0 where the GraphCypherQAChain node fails to properly clean user input before sending it to a Neo4j database (a graph database that stores connected data). An attacker could inject malicious Cypher commands (the query language for Neo4j) to steal, change, or delete data from the database.
CVE-2026-33102 is an open redirect vulnerability (a flaw where a website redirects users to an untrusted site) in Microsoft 365 Copilot that allows an attacker to elevate their privileges over a network without authorization. The vulnerability has a CVSS severity rating of 4.0 (a moderate severity score on a 0-10 scale).
Two OpenTelemetry libraries have a vulnerability where they read entire HTTP response bodies into memory without any size limit. An attacker controlling a remote endpoint or intercepting traffic (MitM, or man-in-the-middle attack, where someone secretly relays communications between two parties) could send a huge response to exhaust the application's memory and cause it to crash through an Out of Memory error.
OpenTelemetry .NET packages have a vulnerability where parsing propagation headers (headers that track request flow across services) can allocate excessive memory, potentially causing a denial of service (DoS, where a system becomes unavailable due to resource exhaustion). The issue occurs in baggage, B3, and Jaeger processing code that allocates temporary storage before checking size limits.
Fix: Deploy patch 1ad67864c0c20f167929e64c875f5c28e1aad9fd to fix this issue.
NVD/CVE Databasen8n-mcp (a tool for connecting AI systems to external services) was logging sensitive information like passwords and API keys when running in HTTP mode (a way to communicate over the internet). When authenticated users made requests to call tools, their secret credentials were written to server logs before being hidden, which could expose them if logs were shared or accessed by unauthorized people. The issue only affected HTTP mode and required authentication, so it couldn't be exploited by random internet users.
Fix: Upgrade to n8n-mcp v2.47.13 or later using either `npx n8n-mcp@latest` (npm) or `docker pull ghcr.io/czlonkowski/n8n-mcp:latest` (Docker). The patch changes how tool arguments are logged by using a `summarizeToolCallArgs` function that records only the structure and size of data, never the actual secret values. As a temporary workaround if you cannot upgrade immediately: restrict HTTP port access through firewall or VPN, limit who can read server logs, or switch to stdio transport mode (`MCP_MODE=stdio`).
GitHub Advisory DatabaseFix: Fixed in version 1.83.7. Both test endpoints now require the `PROXY_ADMIN` role (a permission level for administrators only). As a temporary workaround, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway (the server that sits between users and the application to filter traffic).
GitHub Advisory DatabaseFix: Update langchain-openai to version 1.1.14 or later.
NVD/CVE DatabaseFix: Update langchain-text-splitters to version 1.1.2 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Gemini CLI version 0.39.1 or 0.40.0-preview.3. For workflows running on trusted inputs, set the environment variable `GEMINI_TRUST_WORKSPACE: 'true'` in your GitHub Actions workflow. For workflows processing untrusted inputs, review the guidance at https://github.com/google-github-actions/run-gemini-cli to harden your workflow against malicious content and set the same environment variable after implementing appropriate security measures. If you have specified a specific version of gemini_cli, upgrade to one of the patched versions and audit your workflow settings.
GitHub Advisory DatabaseFix: Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseFix: Fixed in version 1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to 1.83.7 or later. Alternatively, if upgrading is not immediately possible, set `disable_error_logs: true` under `general_settings` to remove the path through which unauthenticated input reaches the vulnerable query.
GitHub Advisory DatabaseFix: Upgrade to version `1.83.7-stable` or later, which fixes the issue by switching the prompt template renderer to a sandboxed environment (a restricted area where code runs with limited permissions) that blocks the attack. If upgrading is not immediately possible, block the `POST /prompts/test` endpoint at your reverse proxy or API gateway, and review and rotate API keys that should not have access to prompt management routes.
GitHub Advisory DatabaseFix: Update to version 1.12.1 or later, which contains a patch for this issue.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 3.1.0. Users should update Flowise to version 3.1.0 or later.
NVD/CVE DatabaseFix: Fixed in OpenTelemetry.Sampler.AWS version 0.1.0-alpha.8 and OpenTelemetry.Resources.AWS version 1.15.1. The fixes introduce limits to HttpClient requests so that the response body is streamed rather than buffered entirely in memory. Additionally, workarounds include: ensuring the X-Ray sampling endpoint is not accessible to untrusted parties, using network-level controls (firewall rules, mTLS, service mesh) to prevent Man-in-the-Middle attacks, and if using a remote endpoint, placing it behind a reverse proxy that enforces a response body size limit.
GitHub Advisory DatabaseFix: Pull request #7061 refactors the handling of baggage, B3 and Jaeger propagation headers to stop parsing eagerly when limits are exceeded and avoid allocating intermediate arrays. Additionally, the source mentions workarounds: configure appropriate HTTP request header limits in your web server, or disable baggage and/or trace propagation if not needed.
GitHub Advisory Database