Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where attackers can execute arbitrary commands (run any code they want) by inserting shell metacharacters (special characters like $() that tell the system to run commands) into file paths. Even though the code tries to protect these paths by wrapping them in double quotes, the POSIX shell (the command-line interface on Unix/Linux systems) still processes these injected expressions, giving attackers the same permissions as the user running the CLI.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where attackers can run arbitrary commands by manipulating the TERMINAL environment variable (a setting that controls which terminal program to use). When the software constructs shell commands, it doesn't properly sanitize the TERMINAL variable, allowing attackers to inject shell metacharacters (special characters that have meaning to command interpreters) that get executed with the user's privileges.
text-generation-webui is an open-source web interface for running Large Language Models (AI systems that generate text). Before version 4.1.1, the application allowed users to save extension settings as Python files (code files that run on servers) in the main app directory, which could let attackers overwrite important Python files like 'download-model.py' and execute malicious code when users tried to download a new model.
PartitionedDataset in kedro-datasets had a path traversal vulnerability (a security flaw where an attacker uses ".." sequences to access files outside an intended directory) that allowed attackers to write files anywhere on a system by including ".." in partition IDs (identifiers for data sections). This affected all users regardless of storage type, local or cloud-based.
KubeAI, a tool that runs AI models on Kubernetes (a system for managing containerized applications), has a vulnerability in versions before 0.23.2 where attackers can inject malicious shell commands (arbitrary code execution instructions) through Model resource creation. The flaw exists because the ollamaStartupProbeScript() function doesn't properly validate user input when building commands that run during startup checks.
A vulnerability (CVE-2026-5530) has been discovered in Ollama up to version 18.1 that allows attackers to perform SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests on their behalf) through the Model Pull API component. The flaw can be exploited remotely by authenticated users, and the vendor has not responded to disclosure attempts.
Directus has a security flaw in its TUS resumable upload endpoint (a feature that lets users upload files in chunks) that lets any authenticated user overwrite any file in the system by specifying its UUID (unique identifier), bypassing row-level permissions (rules like 'users can only edit their own files'). This can lead to permanent data loss and allow low-privilege users to replace important files with malicious content.
BentoML's Dockerfile generation uses an unsandboxed Jinja2 template engine (a tool that processes template files with dynamic code) with dangerous extensions enabled, allowing attackers to embed malicious code in a template file. When a victim imports a malicious bento archive and runs the containerize command, the attacker's code executes directly on the victim's host machine before any container isolation happens, rather than inside a container where it would be restricted.
BentoML has a command injection vulnerability in its cloud deployment setup script where user-supplied system packages are inserted directly into shell commands without proper escaping. An attacker can craft a malicious bentofile.yaml file that executes arbitrary commands on BentoCloud's build infrastructure (the servers that prepare applications for deployment) when the application is deployed, potentially stealing secrets or compromising the infrastructure.
LiteLLM had a security flaw where JWT authentication (a method to verify user identity using encoded tokens) could be bypassed through a cache key collision. When JWT authentication was enabled, the system only used the first 20 characters of a token as a cache key, and since different tokens from the same signing algorithm could have identical first 20 characters, an attacker could create a fake token matching a legitimate user's cached token and gain their permissions. The flaw only affects deployments with JWT/OIDC authentication explicitly enabled, which is not the default configuration.
LiteLLM had a security flaw where an authenticated user could access a configuration endpoint (`/config/update`) without needing admin permissions, allowing them to modify settings, run malicious code, read files, or take over admin accounts. The vulnerability affected any user who already had login access to the system.
Mesop, a web framework, has a vulnerability in its WebSocket (a protocol for real-time two-way communication between client and server) handler where it creates a new operating system thread for every incoming message without any limits. An attacker can send thousands of messages rapidly, exhausting the server's thread capacity and causing an Out of Memory error that crashes the application for all users.
vLLM's `VideoMediaIO.load_base64()` method has a vulnerability where it processes `video/jpeg` data URLs (a vLLM-specific format for sending multiple JPEG frames) without limiting how many frames can be included. An attacker can send thousands of comma-separated base64-encoded JPEG frames in a single API request, causing the server to decode all of them into memory at once and crash due to running out of memory (OOM, or out-of-memory error).
vLLM (a language model serving framework) has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) in its batch processing feature. An attacker who can submit batch input JSON can make the vLLM server send arbitrary HTTP requests to any URL, including internal services like cloud metadata endpoints, because the `download_bytes_from_url` function has no restrictions on which domains or IP addresses it will contact.
MLflow (an open-source machine learning platform) has a vulnerability where certain API endpoints under `/ajax-api/3.0/jobs/*` skip authentication checks (verification of who you are) even when basic-auth protection is enabled. If job execution is turned on, attackers can submit, run, read, and cancel jobs without logging in, potentially leading to remote code execution (running malicious commands on the server) or causing denial of service attacks (making the system unavailable).
FastMCP (a framework for building MCP applications, which are tools that extend AI assistants) has a command injection vulnerability (a security flaw where an attacker can run unauthorized commands) in versions before 3.2.0 on Windows. When server names contain shell metacharacters like '&', they can be misinterpreted by the Windows command interpreter and allow attackers to execute malicious commands during installation.
vLLM's OpenAI-compatible API server has a denial-of-service vulnerability where an attacker can send a request with an extremely large `n` parameter (a value that controls how many independent response sequences to generate). Because the server doesn't validate an upper limit on this parameter, it attempts to create millions of copies of the request object in memory, which overwhelms the system and causes it to crash from running out of memory (OOM, out-of-memory).
OpenClaw, an LLM agent framework, had a vulnerability where an AI agent could bypass approval controls by using a `config.patch` command (a way to modify settings) to silently disable execution approval requirements. This means an agent could potentially perform restricted actions without human permission.
Fix: This vulnerability is fixed in version 4.1.1.
NVD/CVE DatabaseFix: Upgrade to kedro-datasets version 9.3.0 or later. The patch normalizes paths using `posixpath.normpath` and validates that resolved paths stay within the dataset base directory before use, raising a `DatasetError` if the path escapes. For users unable to upgrade, manually validate partition IDs to ensure they do not contain ".." path components before passing them to PartitionedDataset.
GitHub Advisory DatabaseFix: Upgrade to version 0.23.2 or later, which fixes this vulnerability.
NVD/CVE DatabaseDirectus, a content management system, failed to properly sanitize sensitive data (like user tokens, two-factor authentication secrets, and API keys) before storing them in revision history records. This meant that anyone with access to the revision database table could read these secrets in plaintext, potentially allowing account takeover or unauthorized access to third-party services.
Fix: Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required.
GitHub Advisory DatabaseThe mobile_open_url tool in mobile-mcp doesn't check what type of URL scheme (the protocol prefix like http:// or tel://) it receives before sending it to Android, allowing attackers to use prompt injection (tricking an AI by hiding instructions in its input) to execute dangerous commands like making phone calls, sending SMS messages, or accessing private data on a connected mobile device.
Fix: Upgrade to version 0.0.50 or later, which restricts mobile_open_url to http:// and https:// schemes by default. Users who require other URL schemes can opt in by setting the environment variable MOBILEMCP_ALLOW_UNSAFE_URLS=1.
GitHub Advisory DatabaseFix: Fixed in v1.83.0, where the cache key now uses the full hash of the JWT token instead of just the first 20 characters. Alternatively, disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.
GitHub Advisory DatabaseFix: Fixed in v1.83.0. The endpoint now requires `proxy_admin` role. As a temporary workaround, restrict API key distribution, though there is no configuration-level workaround available.
GitHub Advisory DatabaseFix: The source text recommends four mitigation strategies: (1) Use a bounded thread pool (such as ThreadPoolExecutor with max_workers), (2) Introduce per-connection rate limiting, (3) Implement a message queue with backpressure (preventing queue overflow by slowing down senders), or (4) Consider migrating to an async event loop model instead of spawning OS threads. No specific patch version or code fix is provided.
GitHub Advisory DatabaseFix: Update FastMCP to version 3.2.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: The vulnerability was fixed in commit 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27 and released in version 2026.3.28. Users should update to OpenClaw version 2026.3.28 or later.
GitHub Advisory Database