Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A man named Daniel Moreno-Gama was arrested after throwing a Molotov cocktail (an improvised incendiary weapon) at OpenAI CEO Sam Altman's home and later attacking OpenAI's headquarters. Moreno-Gama was motivated by concerns about AI posing an existential threat to humanity and had planned the attack in advance, as documented in a written statement found by police. Sam Altman responded by calling for reduced hostile rhetoric within the AI industry.
A vulnerability in keras version 3.13.0 allows attackers to run their own code when a model is loaded, even when `safe_mode=True` (a setting meant to prevent unsafe operations). The problem occurs because the `TFSMLayer` class loads external TensorFlow SavedModels (pre-trained model files) without checking if they're safe, and doesn't properly validate file paths or configuration data.
A vulnerability (CVE-2026-6129) was found in the CowAgent component of zhayujie's chatgpt-on-wechat software up to version 2.0.4, where missing authentication (failure to verify user identity) in the Agent Mode Service allows attackers to perform unauthorized actions remotely. The exploit is publicly available and the developers have not yet responded to the initial report of the problem.
CVE-2026-6126 is a missing authentication vulnerability in zhayujie chatgpt-on-wechat CowAgent version 2.0.4, affecting an administrative HTTP endpoint (a web-based control interface). An attacker can remotely exploit this flaw without needing valid credentials, and the exploit code has been publicly released.
FastGPT (a platform for building AI agents) has a broken access control vulnerability (IDOR/BOLA, a flaw where one user can access another user's data by guessing or changing IDs) that allows any authenticated team to run AI applications belonging to other teams by using a different application ID. The system checks that users are logged in but doesn't verify that the application they're trying to use actually belongs to their team, leading to unauthorized access to private AI workflows across teams.
n8n-mcp (a tool for connecting AI systems to external services) had security problems where certain HTTP endpoints (the connection points a program offers over the internet) didn't require authentication and exposed sensitive system information. An attacker with network access could shut down active sessions and gather details to plan further attacks.
The LangSmith JavaScript SDK contains a prototype pollution vulnerability (a type of attack where an attacker modifies the base object that all JavaScript objects inherit from) in its internal lodash `set()` function. The vulnerability exists because the code only blocks the `__proto__` key but allows attackers to bypass this protection using `constructor.prototype` instead, potentially affecting all objects in a Node.js application if they control data being processed by the `createAnonymizer()` API.
PraisonAI's browser bridge server (started with `praisonai browser start`) has a security flaw where it accepts WebSocket connections (a two-way communication channel between a client and server) without proper authentication checks. An attacker on the network can connect without credentials, trick the server into linking their connection to a legitimate browser extension session, and then intercept all commands and responses from that session, effectively taking control of the browser automation without permission.
FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.14.10.3 where an endpoint accepts URLs without proper authentication checks, allowing unauthenticated attackers to perform SSRF (server-side request forgery, where an attacker tricks the server into making requests to internal network resources) attacks against internal systems. The vulnerability exists because the internal IP check is disabled by default.
OpenClaw versions 2026.2.13 through 2026.3.24 have an ANSI escape sequence injection vulnerability (a bug where attackers can sneak special terminal control codes into the system) in approval prompts that allows attackers to trick the terminal display by manipulating tool metadata. This means an attacker could use malicious tool names containing these control sequences to make false information appear in approval prompts and permission logs.
LiteLLM (a library for working with multiple AI models) versions through April 8, 2026 contain a vulnerability that allows remote attackers to execute arbitrary code (run commands they shouldn't be able to run) through bytecode rewriting (modifying compiled code) at a specific web endpoint called /guardrails/test_custom_code. This is a serious security flaw because attackers on the internet could potentially take control of systems running vulnerable versions.
A path traversal vulnerability (a weakness that lets attackers access files outside their intended directory) was found in the chatgpt-on-wechat CowAgent software version 2.0.4 and earlier, specifically in the memory API endpoint where it processes a filename argument. This flaw can be exploited remotely by attackers, and proof-of-concept code has already been published online.
OpenAI discovered that Axios, a third-party developer library (a pre-written code package used to build software), was compromised in a software supply chain attack (where attackers infiltrate widely-used tools to affect many companies at once) on March 31, 2026, and their macOS app-signing process briefly used a malicious version. OpenAI found no evidence that user data or systems were compromised, but is revoking and updating their security certificates (digital credentials that verify software is authentic) and requiring all macOS users to update their OpenAI apps to prevent the risk of fake apps appearing legitimate. As of May 8, 2026, older versions of ChatGPT Desktop (before 1.2026.051), Codex App (before 26.406.40811), Codex CLI (before 0.119.0), and Atlas (before 1.2026.84.2) will no longer receive updates and may stop working.
PraisonAIAgents is a system that coordinates multiple AI agents working together as teams. Before version 1.5.128, the web_crawl() function didn't check URLs before fetching them, allowing attackers or malicious content to trick agents into accessing sensitive internal systems, cloud configuration data, or local files through specially crafted URLs like file:// paths.
PraisonAIAgents (a system that coordinates multiple AI agents working together) versions before 1.5.128 contain a vulnerability in the read_skill_file() function that allows reading any file from a computer's filesystem without restrictions. An attacker using prompt injection (tricking an AI by hiding instructions in its input) could exploit this to steal sensitive files, because unlike other file-reading functions in the same system, read_skill_file() lacks both boundary protections and approval requirements.
PraisonAI versions before 4.5.128 have a security flaw in their /media-stream WebSocket endpoint (a connection protocol for real-time communication) that allows anyone to connect without proving who they are or validating they're authorized. When attackers connect, the server automatically opens a session to OpenAI's API using its own credentials, and since there are no limits on how many connections or messages are allowed, an attacker can drain the server's resources and use up the victim's OpenAI API credits.
PraisonAI, a system for managing multiple AI agents working together, had a vulnerability in versions before 4.5.128 where the deploy.py file didn't check if certain configuration values (openai_model, openai_key, and openai_base) contained commas before putting them into a command. Since commas are used as separators in the gcloud deployment command, an attacker could sneak extra commas into these values to inject arbitrary environment variables (settings that control how the deployed service behaves) into the cloud service.
PraisonAI, a system that uses multiple AI agents to work together as teams, has a vulnerability in versions before 4.5.128 where it displays agent output as HTML without properly cleaning it first. An attacker can inject malicious JavaScript code (code that runs in a web browser) through poisoned data or tricked prompts, and this code will execute when someone views the output.
PraisonAIAgents (a system for running multiple AI agents as teams) has a critical vulnerability in versions before 1.5.128 where user-controlled commands are passed directly to subprocess.run() with shell=True (a function that executes system commands), allowing attackers to inject shell metacharacters (special characters like pipes and semicolons that the shell interprets as instructions) and run arbitrary code. An attacker who gains file-write access through prompt injection (tricking an AI by hiding malicious instructions in its input) can modify the .praisonai/hooks.json configuration file to execute malicious code automatically every time the agent runs.
Fix: This vulnerability is fixed in version 4.14.10.4. Users should upgrade to FastGPT 4.14.10.4 or later.
NVD/CVE DatabaseFix: Fixed in v2.47.6, where all MCP session endpoints now require Bearer authentication (a token-based security method). If you cannot upgrade immediately, you can restrict network access using firewall rules, reverse proxy IP allowlists, or a VPN to allow only trusted clients. Alternatively, use stdio mode (MCP_MODE=stdio) instead of HTTP mode, since stdio transport does not expose HTTP endpoints and is not affected by this vulnerability.
GitHub Advisory DatabaseFix: Fixed in version 0.5.18. Users should update their `langsmith` package to 0.5.18 or later.
GitHub Advisory DatabasePraisonAI Agents has a security flaw where tool approval decisions are cached by tool name only, not by the specific command arguments. Once a user approves the `execute_command` tool (a function that runs shell commands) for any command like `ls -la`, all future shell commands in that session bypass the approval prompt entirely. Combined with the fact that all environment variables (including API keys and credentials) are passed to subprocesses, an LLM agent can silently steal sensitive data without asking permission again.
Fix: Update FastGPT to version 4.14.10.3 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Upgrading to version 2.0.5 mitigates this issue. The patch identifier is 174ee0cafc9e8e9d97a23c305418251485b8aa89.
NVD/CVE DatabaseFix: Update to the latest versions of OpenAI's macOS apps through in-app update or official links. OpenAI also addressed the root cause by fixing the GitHub Actions workflow misconfiguration: the workflow previously used a floating tag instead of a specific commit hash and lacked a configured minimumReleaseAge for new packages; these have been corrected. OpenAI rotated the macOS code signing certificate, published new builds of all affected macOS products with the new certificate, and worked with Apple to prevent software notarization using the previous certificate.
OpenAI BlogFix: Update PraisonAIAgents to version 1.5.128 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update PraisonAIAgents to version 1.5.128 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update PraisonAI to version 4.5.128 or later, which fixes this vulnerability.
NVD/CVE DatabaseFix: Upgrade PraisonAI to version 4.5.128 or later, which fixes this vulnerability.
NVD/CVE DatabaseFix: Update PraisonAI to version 4.5.128 or later, which includes a fix for this vulnerability.
NVD/CVE DatabaseFix: Update PraisonAIAgents to version 1.5.128 or later, where this vulnerability is fixed.
NVD/CVE Database