Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Dagster had a SQL injection vulnerability (a security flaw where attackers can insert malicious SQL commands into database queries) in its database I/O managers (tools that read and write data to databases like DuckDB, Snowflake, and BigQuery). Users with permission to add dynamic partitions (flexible data groupings) could create partition keys that contained SQL commands, which would then execute against the database with the I/O manager's credentials, potentially allowing unauthorized data access or modification.
Fix: Update to the patched versions of Dagster. The fix ensures that partition key values are properly escaped before inclusion in SQL queries across all affected I/O managers. No configuration changes or workarounds are required alongside the update; only the Dagster code version needs to be updated. If unable to apply the update, manual workarounds are described in the referenced gist (https://gist.github.com/gibsondan/6d0c483f8499a8b1cd460cddc9fd8f72).
GitHub Advisory DatabaseOpenTelemetry.Exporter.Jaeger has a memory exhaustion vulnerability where internal pooled lists (reusable memory structures) can grow too large based on big payloads and stay oversized for future use, potentially causing denial of service (making a system unavailable). However, the developers have no plans to fix this because the Jaeger exporter was deprecated in 2023.
Flowise versions up to 3.0.13 have a remote code execution vulnerability in the Airtable Agent node where user input is sent to an LLM (large language model, an AI that generates text) to generate Python code, which is then executed without proper sandboxing. An attacker can craft malicious prompts that trick the LLM into generating code containing dangerous commands (like imports or system operations) that bypass the validation checks, allowing them to run arbitrary code on the server without needing to log in.
OpenTelemetry eBPF Instrumentation (OBI) has a vulnerability where a local attacker controlling a Java process can overwrite arbitrary host files when Java injection is enabled and OBI runs with elevated privileges (special system permissions). The flaw occurs because the injector trusts an environment variable called TMPDIR from the target process without proper validation, and uses unsafe file creation methods that allow symlink attacks (where an attacker creates a link pointing to a different file to trick the system into overwriting it).
Claude Code on Windows had a security flaw where it loaded configuration files from a shared system directory without checking who owned that directory or had permission to change it. Since regular users could write to this directory by default, an attacker could create a malicious configuration file that would run with elevated privileges when another user launched Claude Code, allowing a local privilege escalation (unauthorized access to higher-level permissions).
QQBot media tags in the openclaw package could read arbitrary local files through reply text by referencing host-local paths outside the intended media storage boundary, allowing attackers to disclose local files through outbound media handling. This vulnerability affected openclaw versions before 2026.4.10.
FastGPT, an AI Agent building platform, has a vulnerability in its password change feature in versions before 4.14.9.5 where attackers can use NoSQL injection (inserting MongoDB operators into input fields to manipulate database queries) to bypass password verification and take over accounts without knowing the current password.
FastGPT, an AI Agent building platform, has a NoSQL injection vulnerability (a type of attack where an attacker tricks the database query by inserting special commands) in its login system before version 4.14.9.5. The vulnerability allows unauthenticated attackers to bypass password checks and log in as any user, including administrators, by sending database operators instead of a real password.
OpenClaw missed blocking dangerous environment variables (like VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES) that could be set by users to change how programs start up or behave on the network. This security gap affected OpenClaw versions before 2026.4.10.
Flowise has a text-to-speech endpoint that doesn't require authentication but accepts a credential ID (an identifier for stored API keys like OpenAI or ElevenLabs) directly from user input. An attacker can use this to access someone else's stored API credentials and generate speech using the victim's API account, burning their API credits without permission.
Flowise version 3.0.13 has a security flaw where public chatflow endpoints return unsanitized data (raw information without filtering) that includes plaintext API keys, passwords, and credential IDs (unique references to stored login credentials). This happens because the code returns the complete chatflow object without removing sensitive fields, potentially exposing users' third-party account credentials and internal system architecture.
A vulnerability in `langchain-openai` (a library for connecting to OpenAI's API) allowed attackers to bypass SSRF protection (server-side request forgery, where an attacker tricks a server into making requests it shouldn't) through DNS rebinding (changing what a domain name points to between two lookups). The flaw was in the image token counting feature, which validated URLs in one step and then fetched them in another, giving attackers a window to redirect requests to private networks. The actual risk is limited because stolen data cannot be extracted, though attackers could probe whether internal services exist.
A function in LangChain called `HTMLHeaderTextSplitter.split_text_from_url()` had a security flaw where it checked if a URL was safe initially, but then allowed HTTP redirects (automatic follow-ups to different URLs) without rechecking them. This meant an attacker could provide a safe-looking URL that secretly redirects to internal servers or sensitive cloud services, potentially leaking private data. The vulnerability affects versions of langchain-text-splitters before 1.1.2.
Paperclip, an agent management system, has a critical authorization bypass vulnerability where three API endpoints for managing agent API keys (`POST /api/agents/:id/keys`, `GET /api/agents/:id/keys`, and `DELETE /api/agents/:id/keys/:keyId`) only verify that a user is logged in, but fail to check if they belong to the company that owns the target agent. This allows any authenticated user to create plaintext API tokens for agents in other companies, effectively bypassing the multi-tenant security boundary (the separation that prevents one company's data from being accessed by another).
A Paperclip-managed `codex_local` runtime (a local code execution environment) could access and use a Gmail connector that was only connected in the ChatGPT/OpenAI apps UI, not explicitly set up in Paperclip itself. This trust-boundary failure (a security gap between two systems that should be isolated) allowed the runtime to read emails and send real emails from the user's Gmail account without permission. The vulnerability was made worse because `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, meaning approval checks and execution restrictions are disabled by default.
Paperclip, an AI agent platform, has a critical vulnerability where malicious skills can execute arbitrary shell commands on the server through an unsanitized `runtimeConfig` parameter, allowing attackers to steal sensitive credentials like API keys, database passwords, and authentication secrets stored in environment variables.
Flowise version 3.0.12 contains an authentication bypass vulnerability in its resetPassword function that allows attackers to reset any user's password without authorization. The flaw exists because the resetPassword method fails to verify that a password reset token was actually generated for an account, allowing attackers to submit null or empty string tokens (which are the default values) to bypass authentication and change passwords for users whose accounts were recently created.
Flowise's GraphCypherQAChain node has a cypher injection vulnerability (CWE-943, where attackers inject malicious database commands into user input without sanitization). An attacker with access to a vulnerable chatflow can execute arbitrary Cypher commands on the connected Neo4j database (a graph database), allowing them to read, modify, or delete data.
Flowise's password reset feature sends reset links over HTTP (an unencrypted protocol) instead of HTTPS (encrypted protocol), allowing attackers on the same network (like public Wi-Fi) to intercept the link through a man-in-the-middle attack (where someone secretly reads data between two parties) and take over user accounts.
Flowise has a security flaw where unauthenticated users can obtain OAuth 2.0 access tokens (credentials that grant access to third-party services like Gmail) from public chatflows. An attacker can first retrieve internal workflow data including credential identifiers from a public endpoint, then use those identifiers to refresh OAuth tokens without any authentication checks, potentially gaining unauthorized access to connected services.
Fix: Prefer maintained exporters (for example OpenTelemetry Protocol format (OTLP)) instead of the Jaeger exporter.
GitHub Advisory DatabaseFix: Upgrade to https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.8.0.
GitHub Advisory DatabaseFix: Users on standard Claude Code auto-update have already received this fix. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseFix: Upgrade to openclaw version 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix. The fix enforces the media storage boundary for all outbound QQBot local file paths, which was implemented in PR #63271.
GitHub Advisory DatabaseFix: Update FastGPT to version 4.14.9.5 or later, where this issue has been fixed.
NVD/CVE DatabaseFix: This issue has been fixed in version 4.14.9.5. Users should upgrade to this version or later.
NVD/CVE DatabaseFix: Users should upgrade to openclaw version 2026.4.10 or newer. The latest npm release, openclaw@2026.4.14, already includes the fix, which expands the denylist (a list of blocked items) in the execution environment security policy to cover these high-risk environment variables.
GitHub Advisory DatabaseFix: Remove the TTS endpoint from the whitelist (the list of endpoints that don't need login), or add a check to ensure the credential ID matches the chatflow's TTS configuration. The source suggests: 'if (!chatflowId) { return res.status(401).json({ message: "Authentication required" }) }' — meaning if no chatflow ID is provided, the endpoint should reject the request with an authentication error.
GitHub Advisory DatabaseFix: According to the source, apply sanitization to both public endpoints by calling `sanitizeFlowDataForPublicEndpoint(chatflow)` before returning the response, and ensure the sanitization function removes all `credential`, `password`, `apiKey`, and `secretKey` fields from the flowData. The source notes this sanitization function exists only in unreleased HEAD code, not in released v3.0.13.
GitHub Advisory DatabaseFix: Upgrade to `langchain-openai` version 1.1.14 or later (which requires `langchain-core` >= 1.2.31). The fix replaces the separate validation and fetch steps with an SSRF-safe httpx transport that resolves DNS once, validates all returned IPs against private/internal ranges in a single operation, pins the connection to the validated IP, and disables redirect following.
GitHub Advisory DatabaseFix: Upgrade to langchain-text-splitters version 1.1.2 or later (which requires langchain-core >= 1.2.31). The fix replaces the unsafe HTTP request method with an SSRF-safe HTTP transport that validates every request, including redirect targets. Additionally, the vulnerable function has been deprecated, and users should instead fetch HTML content themselves and pass it to `split_text()` directly.
GitHub Advisory DatabaseFix: The source states: 'Ensure all sensitive URLs, especially password reset links, are generated and transmitted over secure https:// endpoints only.' It also recommends using HTTPS in all password-related email links and implementing HSTS (HTTP Strict Transport Security, a setting that forces browsers to use encrypted connections).
GitHub Advisory Database