Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
OpenTelemetry's dotnet implementation has a vulnerability in how it handles gRPC responses during retries. When the server sends a `grpc-status-details-bin` trailer (extra data sent with a response), the code reads a length value from it without checking if that length is reasonable, potentially allowing an attacker to force the application to allocate massive amounts of memory and crash it (a denial of service attack, or DoS). A malicious collector or someone intercepting network traffic could exploit this.
Fix: Pull request #7064 updates `GrpcStatusDeserializer` to validate decoded length-delimited field sizes before allocation by ensuring the requested length is sane and does not exceed the remaining payload. This causes malformed or truncated `grpc-status-details-bin` payloads to fail safely instead of attempting unbounded allocation.
GitHub Advisory DatabaseOpenTelemetry's OTLP exporter (a tool for sending telemetry data, which is information about how software is performing) reads error response bodies from servers with no limit on size, potentially causing memory exhaustion if an attacker controls the server or intercepts the connection. This could crash applications by filling up their available memory.
Pipecat's LivekitFrameSerializer contains a critical vulnerability where its deserialize() method uses pickle.loads() (a Python function that reconstructs objects from binary data) on untrusted WebSocket client data without validation. An attacker can send a malicious pickle payload to execute arbitrary code on the server, potentially compromising the entire system. This affects servers using the now-deprecated LivekitFrameSerializer, especially if exposed to external networks.
Flowise, a tool for building customized AI workflows with a drag-and-drop interface, had a security flaw in versions before 3.1.0 where a speech-generation endpoint didn't require authentication (authorization bypass, where access controls are bypassed by attackers) and could decrypt stored API keys when given a credential ID. This allowed attackers to retrieve sensitive credentials like OpenAI API keys without proper permission checks.
Flowise, a tool that lets users build custom AI workflows through a drag-and-drop interface, had a security flaw in versions before 3.1.0 where the public API endpoint (GET /api/v1/public-chatflows/:id) exposed sensitive data without filtering. The flaw revealed credential IDs, plaintext API keys (secret codes used to access other services), and password fields in the raw workflow data, making it possible for unauthorized people to see this sensitive information.
Flowise, a tool that lets users build custom AI flows through a visual interface, had a mass assignment vulnerability (a bug where user input can change database fields that shouldn't be user-controllable) in versions before 3.1.0 that allowed authenticated users to overwrite existing document storage objects and access objects from other workspaces, potentially breaking access controls (IDOR, or insecure direct object references, where an attacker can access resources by guessing their IDs).
Flowise, a tool for building customized AI language model workflows through a visual interface, had a security flaw in versions before 3.1.0 that let attackers reset any user's password without authorization. The vulnerability existed because the password reset function didn't verify that a valid reset token had been created, so attackers could submit a request with an empty or null token value (which is the default) to change a user's password if they knew the victim's email address.
Flowise, a tool for building AI workflows using a drag-and-drop interface, had a security flaw in versions before 3.1.0 where password reset links were sent over HTTP (unencrypted internet connection) instead of HTTPS (encrypted connection). This allowed attackers on the same network, such as on public Wi-Fi, to intercept these reset links through a MITM attack (man-in-the-middle attack, where someone secretly reads messages between two parties) and take over user accounts.
Flowise, a tool for building customized AI workflows with a drag-and-drop interface, had a security flaw in versions before 3.1.0 that let attackers bypass authentication (skip the login process) and steal OAuth 2.0 access tokens (credentials that grant permission to access other services). Attackers could access public chatflow configuration endpoints (URLs that show workflow settings) to find OAuth credential identifiers and use them to obtain valid access tokens without needing to log in.
Flowise, a tool with a drag-and-drop interface for building customized AI workflows, had security flaws in its request-blocking system before version 3.1.0. These flaws allowed attackers to bypass security protections through DNS Rebinding (a technique where a domain name's IP address changes between security checks) or by exploiting a default configuration that didn't enforce any blocklist, potentially enabling SSRF attacks (Server-Side Request Forgery, where an attacker tricks a server into making unwanted requests).
Flowise, a tool with a drag-and-drop interface for building AI workflows, had a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended locations) in versions before 3.1.0 that let unauthenticated attackers force the server to send requests to internal or external systems by injecting malicious instructions into prompt templates. This could allow attackers to explore internal networks and steal data.
Flowise, a tool for building custom AI workflows through a visual interface, had a vulnerability in versions before 3.1.0 where authenticated users could bypass SSRF protection (a security control that prevents the application from making requests to internal networks). The issue occurred because the Custom Function feature blocked some ways of making network requests but left others unprotected, allowing attackers to potentially access sensitive internal resources like cloud provider metadata services.
Flowise, a tool with a drag-and-drop interface for building customized AI workflows, had a vulnerability before version 3.1.0 where attackers could upload malicious JavaScript files by changing file type settings, even though the user interface normally blocks such uploads. These uploaded files could act as web shells (programs that give attackers control over the server), potentially allowing remote code execution (RCE, where an attacker runs commands on a system they don't own).
Flowise, a tool that lets users visually design custom AI workflows, has a critical vulnerability in versions before 3.1.0 that allows attackers to run any system commands they want without logging in. An attacker can exploit this by using a special keyword (FILE-STORAGE::) and injecting code into an environment variable (NODE_OPTIONS) through a single web request, gaining full control of the Flowise system.
Flowise, a tool for building customized AI workflows through a drag-and-drop interface, had a security flaw in versions before 3.1.0 where attackers could inject malicious data during account registration. This JSON injection (inserting unauthorized code into data fields) vulnerability allowed unauthenticated users to manipulate important metadata like ownership and user roles, potentially breaking security boundaries in systems that host multiple separate organizations.
Flowise, a tool for building customized LLM (large language model) flows through a visual drag-and-drop interface, has a vulnerability in versions before 3.1.0 where an API endpoint exposes sensitive data like API keys and authorization headers without requiring authentication. An attacker who knows only a chatflow UUID (a unique identifier) can steal credentials and other sensitive information from the system.
Flowise is a tool with a visual interface for building customized AI workflows. Before version 3.1.0, the Airtable_Agents component had a security flaw where it ran Python code generated by an AI without proper sandboxing (isolation to prevent unauthorized access). An attacker could use prompt injection (tricking the AI by hiding instructions in user input) to make the AI generate malicious code that runs on the Flowise server.
Flowise is a tool with a drag-and-drop interface for building customized large language model flows. Before version 3.1.0, it had a remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) in AirtableAgent.ts because user input was directly inserted into Python code without sanitization (cleaning to remove harmful content), allowing attackers to inject malicious code through the question parameter.
Flowise is a drag-and-drop interface for building customized large language model workflows. Versions before 3.1.0 have a command injection vulnerability (code injection, where attackers can execute arbitrary commands) in the CSVAgent feature because it fails to properly filter user-provided Pandas CSV reading code, allowing attackers to run malicious commands on the server.
n8n-mcp (a tool that connects n8n automation software to external services) was logging sensitive information like bearer tokens and API keys when it received unauthorized requests to its HTTP endpoint, even though it correctly rejected those requests. This happened because the logs captured request metadata before checking authentication, which could expose secrets if logs were shared or stored outside secure boundaries.
Fix: PR #7017 updates the OTLP exporter to limit response body reads to 4MiB (megabytes) in error conditions and only attempt to read the response body when OpenTelemetry error logging is enabled.
GitHub Advisory DatabaseFix: In Pipecat version 0.0.90, the vulnerable LivekitFrameSerializer class was officially deprecated in favor of a safer LiveKitTransport method.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 3.1.0.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 3.1.0. Update Flowise to version 3.1.0 or later.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Upgrade to version 3.1.0, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to version 3.1.0, where the vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 3.1.0.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Flowise version 3.1.0 or later, where the vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Flowise version 3.1.0, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to version 3.1.0 or later.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Flowise version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Upgrade to n8n-mcp v2.47.11 or later using 'npx n8n-mcp@latest' for npm or 'docker pull ghcr.io/czlonkowski/n8n-mcp:latest' for Docker. If immediate upgrade is not possible, restrict network access to the HTTP port using a firewall or reverse proxy, or switch to stdio transport mode by setting MCP_MODE=stdio.
GitHub Advisory Database