Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
OpenClaw, a local AI assistant tool, had a security flaw where Git environment variables (special settings that control how Git works) were not being removed before running system commands, potentially allowing attackers to redirect Git operations to malicious locations. This vulnerability affected OpenClaw versions up to 2026.3.30.
Fix: Update OpenClaw to version 2026.4.8 or later, which patches the vulnerability by properly removing Git plumbing environment variables before executing host commands.
GitHub Advisory DatabaseLangChain, a framework for building AI agents and applications powered by large language models, had a vulnerability in how it validated f-string templates (a Python feature for inserting variables into text strings). Before versions 0.3.84 and 1.2.28, certain template classes could accept and execute dangerous expressions that should have been blocked, including attribute access and nested replacement fields hidden in format specifiers, which could allow attackers to access unintended data or run unwanted code.
AGiXT, a platform for automating AI agents, has a vulnerability in its safe_join() function (a tool meant to safely combine file paths) that fails to check whether file paths stay within the agent's allowed workspace. Before version 1.9.2, an authenticated attacker could use directory traversal sequences (special path tricks like '../' to navigate outside intended folders) to read, write, or delete files on the server.
OpenClaw, a user-controlled local assistant, had a vulnerability where ClawHub package downloads didn't verify the integrity of downloaded files (a security check ensuring files haven't been tampered with). This meant malicious or corrupted plugin archives could be installed without detection. The vulnerability affected OpenClaw versions 2026.4.1 and earlier.
OpenClaw (a local AI assistant software) had a security bug where the `node.pair.approve` function checked for `operator.write` permissions instead of the more restrictive `operator.pairing` scope, allowing users without proper authorization to approve device pairing on executive-capable nodes. This vulnerability only affects OpenClaw in its single-user trust model and does not impact multi-tenant services.
OpenClaw, a local AI assistant, had a security flaw where WebSocket sessions (persistent connections that allow real-time communication between a client and server) using a shared gateway token remained active even after the token was rotated (changed to a new one). This meant that even after administrators changed the authentication token, old sessions could continue operating without re-authenticating.
OpenClaw, a user-controlled local assistant, had a security flaw where `node.invoke(browser.proxy)` could bypass the `browser.request` guard and modify persistent browser profiles (stored settings that shouldn't be changed without permission). The vulnerability affected versions up to v2026.04.01.
OpenClaw's `device.token.rotate` function had a security flaw where it could create tokens with roles (sets of permissions) that hadn't been properly approved through the required pairing process, potentially letting users gain unauthorized access levels. This vulnerability only affects OpenClaw, which is a local assistant software that runs on a user's own device.
OpenClaw, a local AI assistant tool, had a security vulnerability where certain environment variables (HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS) were not blocked from being passed to system commands, allowing attackers to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) through malicious build tool settings. This vulnerability affected versions before 2026.4.8.
PraisonAI has a critical vulnerability where the `execute_command` function and workflow shell execution pass user-controlled input directly to `subprocess.run()` with `shell=True`, allowing attackers to inject arbitrary shell commands through YAML workflow files, agent configurations, and LLM-generated tool calls by exploiting shell metacharacters like semicolons and pipes.
LangChain had incomplete validation of f-string templates (a Python feature for inserting variables into text) in some prompt template classes. Attackers who could control the template structure could use attribute access (like `object.field`) or indexing (like `array[0]`) to expose internal data from Python objects being formatted. This issue only affected applications that allow untrusted users to write templates, not those using hardcoded templates or only letting users provide variable values.
A security vulnerability (CVE-2026-5803) was found in bigsk1 openai-realtime-ui that allows attackers to perform SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to other systems) through the API Proxy Endpoint in server.js by manipulating a query argument, and this flaw can be exploited remotely. The product uses continuous delivery with rolling releases, so specific affected versions are not documented.
n8n-mcp versions 2.47.3 and earlier have an authenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended locations) in multi-tenant HTTP mode. An attacker with a valid authentication token can make the server fetch arbitrary URLs and read the responses, potentially exposing cloud credentials (like AWS IMDS), internal network services, and other sensitive data the server can access.
Zammad, a web-based customer support system, had a server-side template injection vulnerability (a flaw where attackers can inject malicious code into templates that the server processes) in versions before 7.0.1 that could lead to RCE (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability only affects systems where an attacker has administrative access to control the type_enrichment_data configuration setting.
OpenTelemetry's Go SDK has a PATH hijacking vulnerability (PATH hijacking is when an attacker puts a malicious program in a directory that the system searches for commands, so their fake program runs instead of the real one) on BSD and Solaris systems because the `kenv` command is called by its name alone instead of its full path. An attacker with local access can place a malicious `kenv` binary in the system's PATH, which will execute with the application's permissions when OpenTelemetry initializes.
OpenTelemetry Go's OTLP HTTP exporters (tools that send trace, metric, and log data over HTTP) read entire HTTP response bodies into memory without limiting their size, which allows an attacker controlling the collector endpoint to crash the application by sending extremely large responses. This vulnerability affects three exporter components: otlptrace, otlpmetric, and otlplog.
PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability in its subprocess mode. The subprocess uses a blocklist of only 11 forbidden attributes, missing four key attributes (`__traceback__`, `tb_frame`, `f_back`, `f_builtins`) that attackers can chain together through exception handling to access the real Python builtins and execute arbitrary code, completely bypassing the sandbox.
LobeHub's webapi routes use a client-controlled header called `X-lobe-chat-auth` for authentication, but it's only XOR-obfuscated (a simple reversible encoding) with a hardcoded key that's visible in the code. An attacker can forge this header to bypass authentication and access protected routes like chat, model listing, and image generation without logging in, potentially using the server's API credentials or impersonating other users.
NiceGUI has a security flaw where file upload names aren't properly cleaned on Windows. An attacker can use backslashes in filenames to bypass the sanitization check, which only recognizes forward slashes as path separators. This allows them to write files outside the intended upload folder, potentially overwriting important files or running malicious code. Linux and macOS are not affected because they treat backslashes as regular characters in filenames.
IBM Langflow Desktop versions 1.6.0 through 1.8.2 contain a vulnerability that allows an authenticated user (someone who has already logged in) to run arbitrary code on the system. The flaw stems from an insecure default setting that allows deserialization of untrusted data (converting data from an external source back into code without checking if it's safe) in the FAISS component (a component used for similarity searching).
Fix: Update LangChain to version 0.3.84 or 1.2.28 or later, where the f-string validation has been fixed.
NVD/CVE DatabaseFix: Update AGiXT to version 1.9.2, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to OpenClaw npm package version 2026.4.8 or later. The fix is also available in the main branch at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.4.8 or later. The fix is available in the npm package and has been verified in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 on the main branch.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.4.8 or later. The fix is available in the npm package and has been verified in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 on the main branch.
GitHub Advisory DatabaseFix: Update to patched version `2026.4.8` or later. The fix is available in npm and was verified in commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.4.8 or later. The fix is available in the patched npm version and was merged into the main codebase at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.4.8 or later. The fix was released in npm version 2026.4.8 and is available on the main branch at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
GitHub Advisory DatabaseFix: LangChain now applies consistent f-string safety validation across all prompt template classes. The fix rejects templates containing attribute access or indexing syntax (such as `.` or `[]`) and rejects nested replacement fields inside format specifiers (templates with `{` or `}` in the format specification part). This blocks malicious patterns while preserving normal f-string formatting features.
GitHub Advisory DatabaseFix: Install the patch named 54f8f50f43af97c334a881af7b021e84b5b8310f to address this issue.
NVD/CVE DatabaseFix: Upgrade to n8n-mcp 2.47.4 or later (no configuration changes required). If you cannot upgrade immediately, the source explicitly mentions three workarounds: (1) use egress filtering to block outbound traffic from the n8n-mcp container to private IP ranges (RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local 169.254.0.0/16; (2) disable multi-tenant headers by unsetting ENABLE_MULTI_TENANT and not accepting x-n8n-url / x-n8n-key headers at the reverse proxy if per-request instance switching is not needed; (3) restrict AUTH_TOKEN distribution to fully trusted operators only until you can upgrade.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 7.0.1. Users should upgrade to Zammad 7.0.1 or later.
NVD/CVE DatabaseFix: Use the absolute path `/bin/kenv` instead of the bare command name. Change line 42 in `sdk/resource/host_id.go` from `r.execCommand("kenv", "-q", "smbios.system.uuid")` to `r.execCommand("/bin/kenv", "-q", "smbios.system.uuid")`.
GitHub Advisory DatabaseFix: Fixed in PR #8108 (https://github.com/open-telemetry/opentelemetry-go/pull/8108).
GitHub Advisory DatabaseFix: Update to LobeHub version 2.1.48 or later, which patches this vulnerability. According to the advisory, the fix involves: stopping use of `X-lobe-chat-auth` as an authentication token, removing the simple apiKey truthiness check as an auth decision, and requiring a real server-validated session, OIDC token (a standard authentication protocol), or validated API key for all protected webapi routes. If client payloads are still needed, they should be signed server-side with an HMAC (a cryptographic signature) or replaced with a normal session-bound backend lookup.
GitHub Advisory Database