Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Ouroboros-ai had an incomplete security fix where a malicious project's `.env` file (configuration file automatically loaded when code imports the package) could still enable remote code execution (RCE, where an attacker runs commands on your system) through missing environment variable names in the denylist (block list). Additionally, the software was auto-loading configuration files from the current working directory without checking if they were trustworthy, allowing attackers to execute arbitrary commands just by running the tool inside a malicious repository.
Fix: Fixed in version 0.42.1. All vulnerable environment variable keys were added to the `_UNTRUSTED_ENV_DENYLIST`; the automatic working-directory configuration file discovery was removed and replaced with only explicit configuration via the `OUROBOROS_MCP_CONFIG` environment variable and `~/.ouroboros/mcp_servers.yaml` (both from trusted locations). The regression suite (automated tests) now derives from the source denylist to prevent incomplete fixes in the future.
GitHub Advisory Databaseagent-coderag has a critical vulnerability where it automatically executes a `gradlew` script (a build automation file) from any repository during its default dependency-discovery process, without checking if the script is legitimate. An attacker can place a malicious `gradlew` script in a fake repository to run arbitrary code (unrestricted commands) on a victim's computer whenever they run the standard `agent-coderag sync` command, requiring no special permissions or authentication.
The tract-onnx library (a Rust crate for running neural network models) has a vulnerability where it loads external data files referenced in ONNX models without checking the file paths. A malicious model can use absolute paths (like `/etc/passwd`) or directory traversal sequences (like `../../../../etc/passwd`) in the `location` field to trick tract into reading arbitrary files on the system and exposing their contents in the model's output. This is a path-traversal vulnerability (a type of attack where an attacker manipulates file paths to access files outside the intended directory).
Network-AI versions before 5.9.1 have a command injection vulnerability where wildcard allowlist rules like `git *` can be bypassed to run arbitrary commands. The bug occurs because the allowlist (a security filter that approves which commands can run) matches the whole command string using loose glob patterns, but then executes it through `/bin/sh -c` (the shell interpreter), which interprets special characters like semicolons and pipes, allowing an attacker to append malicious commands like `git status; id`.
The Network-AI package (npm `network-ai`, v5.7.1) has an incomplete security fix for CVE-2026-46701. While a previous update blocked browser-based attacks by restricting CORS (cross-origin resource sharing, which controls what websites can access a server), the core problem remains: the server still defaults to an empty secret and accepts all requests without authentication, meaning anyone who can reach the server directly (via curl, SSRF (server-side request forgery, where an attacker tricks a server into making requests), or a non-loopback network bind) can invoke all 22 available tools without providing credentials.
AgenticMail has a security flaw where unauthenticated external emails can trigger a privileged Claude Code session with `permissionMode: 'bypassPermissions'` (a mode that removes safety restrictions). The email's sender address, subject, and preview are embedded directly into the AI's prompt without verification that the sender is the actual operator, allowing prompt injection (tricking the AI by hiding instructions in its input) that could lead to arbitrary code execution and file access under the operator's identity. A similar handler in the same codebase properly authenticates the sender, but the bridge-wake path does not.
Pipecat's development runner has an unauthenticated WebSocket endpoint (`/ws`) that accepts telephony connections without verifying who is connecting. An attacker can send a fake Twilio handshake message with a call ID they choose, and the server will use its own Twilio credentials to hang up that call, potentially terminating calls on the victim's account. The same vulnerability exists for Telnyx and Plivo telephony providers.
The githubreceiver component in opentelemetry-collector-contrib has a security flaw where it validates the `required_headers` configuration at startup but never actually checks these headers on incoming webhook requests. This means an attacker can send fake data to the webhook endpoint by bypassing the authentication headers that operators thought were protecting it, especially when the `secret` field is left empty (which skips HMAC validation entirely).
The Sentry exporter in opentelemetry-collector-contrib has a path traversal vulnerability (a type of attack where an attacker manipulates file paths to access unintended locations) because it builds Sentry API URLs by directly inserting the service.name attribute, which remote attackers can control, without checking if it's valid. Since the operator's bearer token (a credential that proves the operator's identity) is automatically added to every request, an attacker can craft a malicious service.name to reach privileged Sentry admin and organization endpoints that they shouldn't have access to.
PraisonAI's search tools contain a Server-Side Request Forgery (SSRF) vulnerability, where an attacker can trick the AI into making HTTP requests to arbitrary internal URLs by controlling the `searxng_url` parameter. Because this parameter is exposed to the language model as a tool option and search tools are enabled by default, an attacker can inject malicious instructions through web pages or files to make the server access internal services, read sensitive data, or in cloud environments reach the instance metadata endpoint (169.254.169.254) to potentially steal credentials.
The `multiedit` tool in PraisonAI allows an AI agent to read and write any file on the system without checking file paths or boundaries, because it passes the filepath directly to the `open()` function without validation. An attacker who can control what the agent does, such as through crafted prompts or malicious workflow configurations, could steal sensitive files like SSH keys and credentials, or overwrite important files to take control of the system.
A vulnerability (CVE-2026-12530) was found in the AWS Bedrock AgentCore Python SDK's install_packages() method, which failed to properly block dangerous characters in package names before running them as shell commands. This allowed attackers to use flags like '--index-url' to redirect package downloads to fake servers or '-r' to read files from the sandbox system. Versions 1.1.3 through 1.6.0 are affected.
Langflow versions before 1.9.1 allow anyone with network access to upload unlimited amounts of data to the server without logging in, which can exhaust disk space and cause the service to stop working (DoS, or denial-of-service). Additionally, the server reveals the exact file path where uploads are stored, giving attackers information that could help them chain together multiple attacks.
LangChain4j's MariaDB and pgvector embedding stores have a SQL injection vulnerability (a type of attack where an attacker inserts malicious SQL code into a query) caused by improperly escaping metadata filter keys before putting them into SQL queries. An attacker who can control the filter keys in search or remove operations could inject arbitrary SQL to steal data, cause denial of service, or delete rows from the database.
Claude Code had a security flaw where the domain huggingface.co was automatically approved for the WebFetch tool (a feature that lets AI systems fetch data from the internet), allowing attackers to trick Claude into making web requests to attacker-controlled files and secretly stealing data like files or environment variables without user permission. An attacker would need to first inject malicious content into Claude's context (the information it's working with) to exploit this vulnerability.
Open WebUI has a security flaw where authenticated users can access other users' files through the `/api/chat/completions` endpoint. When a user sends an image request with a file ID (instead of a web link) in the `image_url` field, the server reads that file from disk without checking if the user owns it, then converts it to a format the AI can process. An attacker can exploit this by using another user's file ID to make the AI read and describe private files, leaking their content.
vLLM's audio transcription endpoint checks the size of compressed audio files but not the decoded output, allowing a decompression bomb attack. A 25MB OPUS file can expand to about 14.9GB of PCM audio (raw, uncompressed audio data) in memory, letting an attacker crash the server by exhausting RAM with just a few requests.
vLLM's fix for an earlier vulnerability (CVE-2026-22778) was incomplete, leaving five code paths in the Anthropic router and speech-to-text API that still leak memory addresses. When users send malformed image data, the PIL library raises an error message containing a BytesIO object's memory address (like `<_io.BytesIO object at 0x7a95e299e750>`), and these five locations pass the error directly to clients without removing the address, defeating ASLR (address space layout randomization, a security feature that randomizes where code lives in memory).
vLLM's GGUF dequantize kernels (specialized functions for decompressing quantized neural network weights) use a 32-bit integer parameter to specify tensor size, which truncates when processing very large tensors. This causes the output tensor to be only partially filled by the processing kernel, leaving the remaining memory uninitialized. In multi-tenant deployments (where multiple users share GPU hardware), this unfilled memory may retain sensitive data from other users' previous requests, leaking their information.
Fix: Reject absolute `location` values and any `..` components, then canonicalize (convert to a standard absolute path form) and verify the resolved path stays within the model directory, mirroring the fix applied in the `onnx` reference library version 1.22.0.
GitHub Advisory DatabaseFix: Fixed in v5.9.1 (commit 379f776). The `ShellExecutor` now executes commands via `spawn(file, args, { shell: false })` with quote-aware argument parsing instead of invoking a shell, and `SandboxPolicy.isCommandAllowed` and the new `SandboxPolicy.tokenizeCommand` reject any unquoted shell metacharacters (`;`, `&`, `|`, `$`, backticks, parentheses, angle brackets, braces, and newlines) or unterminated quotes before checking the allowlist, while preserving quoted metacharacters as literal arguments.
GitHub Advisory DatabaseFix: The source recommends implementing the original advisory's remediation #1: 'refuse to start SSE mode with an empty secret (unless `--stdio`), and/or change `_isAuthorized` to fail closed (an empty configured secret should mean "deny", not "allow").' The fix should require a non-empty secret at startup and call `process.exit(1)` if one is not provided, rather than only issuing a warning when binding to a non-loopback address.
GitHub Advisory DatabaseFix: Add RequiredHeaders enforcement to `handleReq()` in `receiver/githubreceiver/trace_receiver.go`, matching the pattern used in gitlabreceiver at `receiver/gitlabreceiver/traces_receiver.go:266-270`, which validates each required header by checking if the incoming request's header value matches the configured value.
GitHub Advisory DatabaseSplunk Enterprise has a critical security flaw where a PostgreSQL sidecar service endpoint (a supporting service that handles database connections) doesn't require authentication (proof of identity), allowing an attacker without credentials to create or delete arbitrary files. This vulnerability is currently being exploited in real attacks in the wild.
Fix: Upgrade to Langflow version 1.9.1 or later. The fix adds authentication requirements to the upload endpoint (users must log in and own the flow), enforces file size limits (returns HTTP 413 if exceeded), and only reveals file paths to authenticated flow owners.
GitHub Advisory DatabaseFix: Fixed in langchain4j-mariadb and langchain4j-pgvector version 1.16.3-beta26. The patch properly escapes JSON filter keys before embedding them in SQL string literals (doubling single quotes for PostgreSQL and escaping backslash and single quote for MariaDB), escapes backslash and single quote in MariaDB string values, and validates or quotes column-mode keys as identifiers instead of concatenating them as raw SQL.
GitHub Advisory DatabaseFix: Users on standard Claude Code auto-update have received this fix already; users performing manual updates are advised to update to the latest version.
Hugging Face Security AdvisoriesFix: A fix for this vulnerability was merged in pull request #44970 on the vLLM GitHub repository: https://github.com/vllm-project/vllm/pull/44970
GitHub Advisory DatabaseFix: Change the `int k` parameter to `int64_t k` in the `to_cuda_ggml_t` function pointer type declaration at `ggml-common.h:1067`. The source text states: "This is a single root cause -- the `int` type on the `k` parameter in `to_cuda_ggml_t` -- with a single fix: change `int k` to `int64_t k`. All dequantize functions inherit this type through the same typedef."
Hugging Face Security Advisories