Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
BentoML has a command injection vulnerability in the `docker.system_packages` field of bentofile.yaml (a configuration file). User-provided package names are inserted directly into Docker build commands without sanitization, allowing attackers to execute arbitrary shell commands as root during the image build process. This affects all versions supporting this feature, including version 1.4.36.
Fix: The source text suggests two explicit fixes: (1) Input validation (recommended): Add a regex validator to `system_packages` in `build_config.py` that only allows alphanumeric characters, dots, plus signs, hyphens, underscores, and colons. (2) Output escaping: Apply `shlex.quote()` to each package name before interpolation in `images.py:system_packages()` and apply the `bash_quote` Jinja2 filter in `base_debian.j2`. The source notes that a `bash_quote` filter already exists in the codebase but is only currently applied to environment variables, not `system_packages`.
GitHub Advisory Databasen8n's Source Control feature, when configured to use SSH (a secure network protocol), disabled host key verification, meaning it didn't confirm the identity of the Git server it was connecting to. An attacker on the network could trick n8n into connecting to a fake server and inject malicious code into workflows or steal repository data.
n8n, a workflow automation tool, had a security flaw where authenticated users without permission could bypass authorization checks and access plaintext values of external secrets (credentials stored in connected vaults) by guessing secret names. This vulnerability only affects instances with external vaults configured and requires the attacker to be a valid user who knows the target secret's name.
n8n versions with `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` set to true have an authorization bypass vulnerability where attackers can trick users into connecting their OAuth tokens (credentials used for third-party authentication) to attacker-controlled accounts, allowing the attacker to run workflows with those stolen credentials. This only affects instances where this setting is explicitly enabled, which is not the default configuration.
OpenTelemetry Java instrumentation versions before 2.26.1 have a vulnerability in RMI instrumentation where incoming data is deserialized without proper validation, allowing attackers with network access to potentially execute arbitrary code on the affected system. The attack requires three conditions: OpenTelemetry must be running as a Java agent, an RMI endpoint (remote method invocation, a Java system for calling methods on remote servers) must be accessible over the network, and a gadget-chain-compatible library (a collection of existing code that can be chained together to execute unintended commands) must be present.
Streamlit Open Source versions before 1.54.0 on Windows have an unauthenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making unintended network requests) in how it handles file paths. An attacker can supply a malicious UNC path (a Windows network address like \\attacker-host\share) that causes the Streamlit server to initiate SMB connections (the protocol Windows uses for file sharing) and leak NTLMv2 credential hashes (authentication proof) of the user running Streamlit, which could then be used in relay attacks or password cracking.
n8n (a workflow automation platform) had a security flaw where LDAP authentication (a directory service for user identity management) would automatically link an LDAP user account to an existing local account if their email addresses matched. An attacker could change their LDAP email to match an administrator's email and gain full access to that account, with the unauthorized access persisting even after the email was changed back. This only affects n8n instances that have LDAP authentication specifically enabled.
n8n Community Edition has a security flaw where authenticated users with basic permissions can steal plaintext secrets from other users' HTTP credentials (like basic auth or header auth) by exploiting flaws in how credentials are looked up and validated. This happens because the system doesn't properly check who owns a credential and skips security checks for generic HTTP credential types, though this only affects Community Edition and not the paid Enterprise version.
n8n, a workflow automation tool, has a security flaw in its Merge node's SQL mode that allows authenticated users to read files from the server and execute arbitrary code (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the AlaSQL sandbox (a restricted environment meant to safely run SQL code) did not properly block certain dangerous SQL statements.
A vulnerability in the @grackle-ai/server package fails to handle errors when parsing JSON configuration data in three locations within its gRPC service (a remote procedure call system for inter-process communication). If the underlying SQLite database becomes corrupted or enters an unexpected state, the code could crash without gracefully reporting an error, and the unvalidated parsed data could theoretically be exploited if the database is compromised.
The @grackle-ai/server software doesn't set the Secure flag on its session cookie (a flag that prevents the cookie from being sent over unencrypted connections). While this is safe for local use, enabling the `--allow-network` option exposes the cookie to interception over insecure connections, allowing attackers to steal session data.
The Grackle AI server was missing three important HTTP security headers (Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) that protect against XSS attacks (where malicious code is injected into a webpage), clickjacking (tricking users into clicking hidden elements), and MIME-sniffing attacks (where browsers misinterpret file types). While current XSS risks are low, the missing headers remove a safety layer that would help prevent future vulnerabilities.
The PowerLine gRPC server (a service that runs code through remote procedure calls, which is a way for programs to request actions from each other over a network) from @grackle-ai/powerline runs without any authentication by default when a token is not provided, allowing anyone who can reach the server to execute code and access credentials. Although the server only listens on localhost (127.0.0.1, the local machine) by default, it becomes critically dangerous if accidentally exposed on a network through containers or port forwarding.
The Grackle AI server has a security flaw where its WebSocket upgrade handler (a protocol for real-time two-way communication) doesn't check the Origin header, which identifies where a connection request comes from. This allows a malicious webpage to hijack a WebSocket connection if a user is logged in, potentially letting an attacker see real-time session data and task updates through cross-origin WebSocket hijacking (an attack where a different website tricks your browser into connecting to an unintended service).
The @grackle-ai/mcp library has a workspace authorization bypass vulnerability in its knowledge_search and knowledge_get_node tools. These tools are marked as available to scoped agents (agents with limited permissions tied to a specific workspace), but they don't properly check which workspace a user belongs to, allowing a scoped agent in Workspace A to access sensitive data from Workspace B by specifying an arbitrary workspaceId parameter.
A function called `renderPairingPage()` in the @grackle-ai/server library embeds error messages directly into HTML without escaping (a process that makes text safe for display in web pages). While current uses pass only hardcoded strings and are not exploitable now, future code changes that pass user-controlled input could create an XSS vulnerability (a type of attack where malicious code is injected into a webpage).
n8n (a workflow automation tool) has a security flaw where authenticated users who can create or modify workflows could access uninitialized memory buffers (chunks of computer memory that haven't been cleared), potentially exposing sensitive data like secrets or tokens from previous requests in the same process. This vulnerability only affects systems where Task Runners are enabled and can be limited in external runner mode (where the runner operates in a separate, isolated process).
Two versions of LiteLLM (a Python library for working with multiple AI models), versions 1.82.7 and 1.82.8, were published with malware that steals user credentials (usernames, passwords, and authentication tokens). This is a critical security issue because anyone who installed these specific versions could have their sensitive login information compromised.
CVE-2026-24158 is a vulnerability in NVIDIA Triton Inference Server's HTTP endpoint that allows attackers to cause a denial of service (temporarily making a service unavailable) by sending a large compressed payload. The vulnerability stems from improper memory allocation (CWE-789, where a system reserves too much memory based on untrusted input).
Aquasecurity Trivy, a container scanning tool, has embedded malicious code that could let attackers steal sensitive information from CI/CD environments (the automated systems that build and deploy software), including security tokens, SSH keys (authentication credentials for servers), cloud login information, database passwords, and other secrets stored in memory. This is a supply-chain compromise (malicious code inserted into a software product before distribution) and is currently being exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Additional vendor-provided guidance must be followed to ensure full remediation. See GitHub advisory GHSA-69fq-xp46-6x23 and NVD entry CVE-2026-33634 for more information.
CISA Known Exploited VulnerabilitiesFix: The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily disable the Source Control feature if not actively required, or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n access to fully trusted users only or disable external secrets integration until the patch can be applied, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required and restrict access to the n8n instance to fully trusted users only (though these workarounds do not fully remediate the risk and should only be used as short-term measures).
GitHub Advisory DatabaseFix: Upgrade to OpenTelemetry version 2.26.1 or later. Alternatively, disable RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`.
GitHub Advisory DatabaseFix: The vulnerability has been fixed in Streamlit Open Source version 1.54.0. It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later. If immediate upgrading is not possible, administrators can: disable LDAP authentication temporarily, restrict LDAP directory permissions so users cannot modify their own email attributes, or audit existing LDAP-linked accounts for unexpected associations. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.27, 2.13.3, or 2.14.1 or later. If upgrading is not immediately possible, administrators should restrict instance access to fully trusted users only and audit stored credentials to rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. Note: these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: Wrap the JSON.parse() calls in try-catch blocks to handle errors gracefully. The source provides this exact fix: 'let config: Record<string, unknown>; try { config = JSON.parse(env.adapterConfig) as Record<string, unknown>; } catch { throw new ConnectError("Invalid adapter configuration", Code.Internal); }' Apply this pattern to all three affected locations in packages/server/src/grpc-service.ts (lines 415, 482, and 498).
GitHub Advisory DatabaseFix: Update to version 0.70.5. The fix conditionally adds the `; Secure` attribute to the cookie when the server uses HTTPS or when `--allow-network` is enabled, using this code: `const securePart = isHttps ? "; Secure" : ""; return \`${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}\`;`. As a temporary workaround, do not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy (a security intermediary that handles encrypted connections).
GitHub Advisory DatabaseFix: Update to version 0.70.4, which adds security headers to all responses. The fix adds these headers to the server code: Content-Security-Policy set to "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:", X-Frame-Options set to "DENY", and X-Content-Type-Options set to "nosniff". Alternatively, use a reverse proxy (nginx or Caddy) in front of the Grackle server to inject these security headers.
GitHub Advisory DatabaseFix: Update to version 0.70.1, which changes the behavior to require an explicit `--no-auth` flag to intentionally run without authentication, rather than silently defaulting to no auth. The fix throws an error if the server starts without a token and without the `--no-auth` flag. As a workaround for earlier versions, always provide `--token` or set the `GRACKLE_POWERLINE_TOKEN` environment variable when starting PowerLine.
GitHub Advisory DatabaseFix: Validate the `req.headers.origin` against an allowlist before accepting WebSocket connections. The patch provided in the source shows checking that the origin contains either 'localhost' or '127.0.0.1', and closing the connection with code 4003 if it doesn't match. As a workaround, ensure the Grackle server is only accessible on 127.0.0.1 (the default) and do not use `--allow-network` in untrusted network environments.
GitHub Advisory DatabaseFix: Add `authContext` parameter to `knowledge_search` and `knowledge_get_node` handlers and enforce workspace scoping by using this code pattern: ```typescript const resolvedWorkspaceId = authContext?.type === "scoped" ? authContext.workspaceId ?? "" : workspaceId ?? ""; ``` This ensures scoped agents can only access their own workspace. As a temporary workaround, remove `knowledge_search` and `knowledge_get_node` from the `SCOPED_TOOLS` set in `tool-scoping.ts` or do not use scoped agent tokens in multi-workspace deployments until the fix is applied.
GitHub Advisory DatabaseFix: Update to v0.70.1. The fix applies `escapeHtml()` to the error parameter by changing `${error}` to `${escapeHtml(error)}` in the HTML template string, matching the safer approach already used in the `renderAuthorizePage()` function in the same file.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions >= 1.123.22, >= 2.10.1, and >= 2.9.3. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily limit workflow creation and editing permissions to fully trusted users only, or use external runner mode by setting `N8N_RUNNERS_MODE=external`. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory Database