Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Daytona, a tool for running AI-generated code safely, had a security flaw before version 0.185.0 where it didn't verify TLS certificates (the security credentials that prove a website is authentic) when cloning Git repositories (copying code from remote servers). This meant an attacker intercepting the connection could steal Git credentials (login information) and replace the real code with fake, harmful code.
Fix: This vulnerability is fixed in version 0.185.0.
NVD/CVE DatabaseOpen WebUI, a self-hosted AI platform that runs offline, had a vulnerability before version 0.9.6 where authenticated users could bypass access controls by manipulating a url_idx parameter (a number used to select which backend server to use). This allowed them to reach Ollama backends (the AI model servers) they shouldn't have access to, including internal or admin-disabled ones, because the system only checked if they could use a model but not which backend server they were routed to.
Open WebUI, a self-hosted AI platform that runs offline, had a security flaw in versions before 0.9.6 where access controls (ACL, rules that restrict who can access what) could be bypassed when a database feature called Milvus multitenancy mode was enabled. An attacker could exploit this by using a specially crafted collection name that wasn't properly cleaned before being used in a database query, allowing them to access data they shouldn't be able to reach.
Budibase has a DNS rebinding vulnerability (a type of attack where DNS lookups return different IP addresses at different times) in its SSRF protection. The software checks if a hostname is safe by looking up its IP address and checking a blacklist, but then performs a separate DNS lookup when actually connecting. An attacker controlling DNS can return a public IP during the safety check and a private/internal IP during the actual connection, allowing them to access internal services like localhost or cloud metadata endpoints.
LangChain, a framework for building AI agents and applications powered by large language models, had a vulnerability before version 1.3.9 where several components that work with file paths did not properly restrict access to files. This meant attackers could use glob patterns (wildcards for matching multiple files), symlinks (shortcuts to files), or specially crafted paths to read files outside the intended directory, especially when an AI system processes untrusted input. The vulnerability allowed unauthorized file disclosure.
vLLM (a system for running large language models) versions 0.10.2 through 0.12.x lack proper validation of sparse tensors (data structures with mostly empty values) when processing multimodal embeddings (numerical representations combining text and images). An attacker can send malicious embedding requests with invalid tensor indices to crash the system, exhaust resources, or potentially corrupt memory if the prompt-embeds feature is enabled.
vLLM versions 0.6.3 through 0.9.0 contain ReDoS (regular expression denial of service, where specially crafted text causes regex patterns to consume excessive CPU time) vulnerabilities in several components including the LoRA utility parser, phi4mini tool parser, and OpenAI chat endpoint. An attacker can send malicious input with nested or repeated structures to trigger severe CPU consumption and make the service unavailable.
A vulnerability in pydantic-settings' `NestedSecretsSettingsSource` (a feature that reads secret values from files in a directory) allows attackers to read files outside the configured secrets directory by creating symbolic links (shortcuts that point to other locations on the system). The same flaw also bypasses `secrets_dir_max_size`, a size limit meant to prevent loading excessively large files. This can happen when `secrets_nested_subdir=True` is enabled and an attacker can add symbolic links to the secrets directory.
The LangSmith SDK's `TracingMiddleware` (a component that tracks and logs AI application activity) has a vulnerability that allows attackers to read arbitrary files from a server's local storage and upload them to LangSmith. The attack exploits two bugs: missing validation of data from tracing headers (CWE-346, a type of injection attack) and a type-checking failure that should have blocked file access (CWE-843). Once files are uploaded, anyone with read access to the LangSmith workspace can view the stolen contents.
The `web_url_read` tool in mcp-searxng has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems). The vulnerability exists because the code checks if a hostname looks private by comparing text strings, but it doesn't actually resolve the hostname using DNS (the system that translates domain names to IP addresses). An attacker can use a domain that resolves to an internal IP address to bypass this check and access sensitive data from internal services.
The SearXNG MCP Server's `web_url_read` tool has a vulnerability where it enforces a 5 MiB (megabyte) response size limit only by checking the `Content-Length` header in an initial HEAD request. When a server doesn't include this header, the size check fails and the tool loads the entire response into memory without any limit, allowing an attacker to force the server to consume unlimited memory and CPU, causing a denial of service (DoS, a situation where a system becomes unavailable).
The `EnvironmentManager.restore()` function in Network-AI 5.12.1 is vulnerable to path traversal (a technique where an attacker uses sequences like `../` to access files outside the intended directory). An attacker can pass a malicious backup ID to copy arbitrary files from anywhere on the system into the environment's data folder, potentially exposing sensitive information or breaking environment isolation.
Network-AI versions up to 5.12.1 have a vulnerability in the `EnvironmentManager.backup()` function where it follows symlinks (shortcuts to other directories) when collecting files to back up. An attacker who can create a symlink in the environment data directory can trick the backup process into copying files from outside the intended environment root directory, potentially exposing sensitive information in backup artifacts.
Network-AI's AgentRuntime sandbox uses a flawed string-prefix check to keep file access within a configured base directory, but the check is too broad. A sandbox at `/tmp/network-ai-sandbox` also matches the sibling directory `/tmp/network-ai-sandbox_evil`, allowing agents to read or list files outside the intended sandbox boundary. This vulnerability affects Network-AI version 5.12.1 and has a medium severity CVSS score (a 0-10 rating of how severe a vulnerability is).
Langflow's file-reading components (like Read File and Docling) have a vulnerability where attackers can use symlinks (shortcuts that point to other files) hidden inside compressed files to read any file on the system, potentially stealing secret keys and executing arbitrary code. An attacker could steal the JWT token secret (used for authentication), forge login tokens for any user, and then run malicious code through the Python Interpreter node.
An attacker can crash Langflow (an AI application framework) by sending a specially crafted file upload request with an extremely long multipart form boundary (a delimiter used in form data) without needing to log in, making the server unusable for all users indefinitely. The vulnerability exists because the server tries to process the malformed data before checking if the user is authenticated.
Langflow's logout button fails to properly clear user sessions, leaving authentication tokens (access_token_lf and refresh_token_lf) in the browser's storage, so the previous user remains logged in until someone else logs in explicitly. This happens because the logout endpoint doesn't delete cookies with the same security settings they were created with, and the frontend doesn't clear stored tokens either. On shared computers, users may incorrectly think they've logged out when they haven't.
Langflow versions before 1.9.1 had an IDOR vulnerability (insecure direct object reference, where attackers can access resources by guessing or knowing their ID) in the `/api/v1/responses` endpoint that allowed any authenticated user to execute another user's workflow by specifying that user's flow ID, potentially exposing sensitive data and wasting resources. The bug existed because the code queried the database directly using a flow's unique identifier without checking if the requesting user actually owned that flow.
The agentic-flow tool versions 2.0.13 and earlier had a critical vulnerability where user input was directly inserted into shell commands without sanitization, allowing attackers to inject arbitrary OS commands (CWE-78, a type of command injection). This affected multiple MCP server tools, particularly those handling agent and database parameters, and could be exploited through untrusted content processed by the AI agent.
Fix: This vulnerability is fixed in 0.9.6.
NVD/CVE DatabaseFix: Update Open WebUI to version 0.9.6 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.3.9.
NVD/CVE DatabaseFix: Upgrade the Python SDK to version >= 0.8.18. As a temporary workaround until upgrading, do not expose `TracingMiddleware` to untrusted HTTP traffic and limit workspace trace-read access to trusted members only.
GitHub Advisory DatabaseFix: The source recommends modifying `src/url-reader.ts` to perform DNS resolution inside the `assertUrlAllowed()` function before fetching. Specifically: import `lookup` from `node:dns/promises`, make `assertUrlAllowed()` async, and add code to resolve the hostname and check if any of the resolved IP addresses are private before allowing the request. All calls to `assertUrlAllowed()` must be updated to `await` the now-async function.
GitHub Advisory DatabaseFix: Replace both `response.text()` calls with a streaming reader that aborts once the byte counter exceeds `maxContentLengthBytes`. The source text states: 'Replace both `response.text()` calls with a streaming reader that aborts once the byte counter exceeds `maxContentLengthBytes`' but does not provide the specific code implementation.
GitHub Advisory DatabaseFix: Fixed in v5.12.2. Install with: `npm install network-ai@5.12.2`. The patched version now validates backup IDs against `/^[\w\-]+$/` (allowing only letters, numbers, underscores, and hyphens) and confirms that the resolved backup path stays within the `.backups/` directory before accessing the filesystem.
GitHub Advisory DatabaseFix: Fixed in v5.12.2. Install with `npm install network-ai@5.12.2`. The patch changes `_collectBackupFiles()` to use `lstatSync` instead of `statSync` and skips any entries where `isSymbolicLink()` is true, preventing the backup function from following symlinks outside the environment root.
GitHub Advisory DatabaseThe `ApprovalInbox` HTTP server in network-ai (version 5.11.0 and earlier) has no authentication and allows cross-origin requests (CORS, a mechanism that controls which websites can access a server). This means anyone who can reach the server—whether through the same computer, a website you visit in your browser, or a network connection—can view pending approvals and approve them without permission, bypassing the human-in-the-loop control (a safety check requiring a person to review high-risk actions before they run). This defeats protections meant to prevent the AI from executing dangerous operations like shell commands without consent.
Fix: Fixed in v5.12.2 (commit a59c13a). Users should upgrade to this version or later.
GitHub Advisory DatabaseFix: Upgrade to Langflow version 1.9.2 or later. The fix modifies the `BaseFileComponent._unpack_bundle` function to reject symlinks, hardlinks, and other non-regular file entries during TAR extraction, and adds additional symlink filtering during directory recursion and after extraction.
GitHub Advisory DatabaseFix: Upgrade to version 1.0.19 or later. The fix adds a `check_boundary` HTTP middleware that validates the multipart boundary using the pattern `^[\w\-]{1,70}$` and rejects malformed requests with HTTP 422 before the body is parsed. The upload endpoint also now requires authentication checks (`get_current_active_user`) and returns HTTP 403 if the user doesn't own the flow.
GitHub Advisory DatabaseFix: Upgrade to Langflow version 1.7.0 or later. The fix (PRs #10527 and #10528) ensures the logout endpoint deletes authentication cookies using the same parameters (httponly, samesite, secure, domain) they were created with, and the frontend now clears auth cookies on logout.
GitHub Advisory DatabaseFix: Update to Langflow 1.9.1 or later. The fix, released on 2026-04-22 in PR #12832, adds ownership verification so that when a flow is accessed by ID, the system checks whether the requesting user owns it. If they don't, the system returns a 404 error (instead of allowing access or revealing that the flow exists). The fix applies to both UUID-based lookups and endpoint name lookups, and includes additional protective layers for related endpoints like `/api/v1/run*` routes.
GitHub Advisory DatabaseFix: Upgrade to agentic-flow version 2.0.14 or later. The fix rewrites all affected command calls to use execFileSync(file, argv, { shell: false }), which passes arguments directly to the operating system without shell parsing, preventing injection attacks. Downstream packages (ruflo@3.12.4, claude-flow@3.12.4, @claude-flow/cli@3.12.4) have also been updated to pull the patched version.
GitHub Advisory Database