Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
OpenClaw Gateway had two security flaws that could let an attacker with a valid token escalate their access: the HTTP endpoint (`POST /tools/invoke`, a web interface for running tools) didn't block dangerous tools like session spawning by default, and the permission system could auto-approve risky operations without enough user confirmation. Together, these could allow an attacker to execute commands or control sessions if they reach the Gateway.
Fix: Update to OpenClaw version 2026.2.14 or later. The fix includes: denying high-risk tools over HTTP by default (with configuration overrides available via `gateway.tools.{allow,deny}`), requiring explicit prompts for any non-read/search permissions in the ACP (access control permission) system, adding security warnings when high-risk tools are re-enabled, and making permission matching stricter to prevent accidental auto-approvals. Additionally, keep the Gateway loopback-only (only accessible locally) by setting `gateway.bind="loopback"` or using `openclaw gateway run --bind loopback`, and avoid exposing it directly to the internet without using an SSH tunnel or Tailscale.
GitHub Advisory DatabaseOpenClaw's canvas tool contains a path traversal vulnerability (a security flaw that allows reading files outside intended directories) in its `a2ui_push` action. An authenticated attacker can supply any filesystem path to the `jsonlPath` parameter, and the gateway reads the file without validation and forwards its contents to connected nodes, potentially exposing sensitive files like credentials or SSH keys.
OpenChatBI has a path traversal vulnerability (a security flaw where attackers can access files outside intended directories) in its save_report tool because it doesn't properly validate the file_format parameter, allowing attackers to use sequences like '/../' to write files to arbitrary locations and potentially execute malicious code.
CVE-2026-2256 is a command injection vulnerability (a flaw where an attacker tricks a program into running unwanted operating system commands) in ModelScope's ms-agent software versions v1.6.0rc1 and earlier. An attacker can exploit this by sending specially crafted prompts to execute arbitrary commands on the affected system.
Anthropic's Claude service experienced a widespread outage on Monday morning, affecting Claude.ai and Claude Code (though the Claude API remained functional), with most users encountering errors during login. The company identified the issue was related to login and logout systems and stated it was implementing a fix, though no root cause or technical details were disclosed.
Gradio, a Python package for building AI demos, had a vulnerability (SSRF, or server-side request forgery, where an attacker tricks a server into making requests it shouldn't) before version 6.6.0 that let attackers access internal services and private networks by hosting a malicious Gradio Space that victims load with the `gr.load()` function.
Gradio, a Python package for building AI interfaces quickly, has a vulnerability in versions before 6.6.0 where the _redirect_to_target() function doesn't validate the _target_url parameter, allowing attackers to redirect users to malicious external websites through the /logout and /login/callback endpoints on apps using OAuth (a login system). This vulnerability only affects Gradio apps running on Hugging Face Spaces with gr.LoginButton enabled.
Gradio (an open-source Python package for building web interfaces quickly) has a vulnerability in versions before 6.7 on Windows with Python 3.13 and newer that allows attackers to read any file from the server by exploiting a flaw in how the software checks if file paths are absolute (starting from the root directory). The vulnerability exists because Python 3.13 changed how it defines absolute paths, breaking Gradio's protections against path traversal (accessing files outside intended directories).
Gradio, a Python package for building web interfaces, has a security flaw in versions 4.16.0 through 6.5.x where it automatically enables fake OAuth routes (authentication shortcuts) that accidentally expose the server owner's Hugging Face access token (a credential used to authenticate with Hugging Face services) to anyone who visits the login page. An attacker can steal this token because the session cookie (a small file storing login information) is signed with a hardcoded secret, making it easy to decode.
A vulnerability in n8n's Zendesk Trigger node (a tool that automatically starts workflows when Zendesk sends data) allows attackers to forge webhook requests, meaning they can trigger workflows with fake data because the node doesn't verify the HMAC-SHA256 signature (a cryptographic check that confirms a message is authentic). This lets anyone who knows the webhook URL send malicious payloads to the connected workflow.
A security flaw in n8n's Guardrail node (a component that enforces safety rules on AI outputs) allows users to craft inputs that bypass its default safety instructions. This means someone could trick the guardrail into allowing outputs it should have blocked.
n8n, a workflow automation tool, has a security flaw in its Chat Trigger node where authentication (the process of verifying a user's identity) can be bypassed when configured with n8n User Auth. This only affects users who have specifically set up this non-default authentication method on their Chat Trigger node.
A security flaw in n8n's GitHub Webhook Trigger node allowed attackers to forge webhook messages without proper authentication. The node failed to verify HMAC-SHA256 signatures (a cryptographic check that confirms a message came from GitHub), so anyone knowing the webhook URL could send fake requests and trigger workflows with whatever data they wanted.
n8n (a workflow automation tool) had a SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands) in its MySQL, PostgreSQL, and Microsoft SQL nodes. Attackers who could create or edit workflows could inject malicious SQL code through table or column names because these nodes didn't properly escape identifier values when building database queries.
CVE-2026-3071 is a vulnerability in Flair (a machine learning library) versions 0.4.1 and later that allows arbitrary code execution (running unauthorized commands on a system) when loading a malicious model file. The problem occurs because the LanguageModel class deserializes untrusted data (converts data from an external file without checking if it's safe), which can be exploited by attackers who provide specially crafted model files.
Langflow, a tool for building AI-powered agents and workflows, had a vulnerability in versions before 1.8.0 where the CSV Agent node automatically enabled a dangerous Python execution feature. This allowed attackers to run arbitrary Python and operating system commands on the server through prompt injection (tricking the AI by hiding instructions in its input), resulting in RCE (remote code execution, where an attacker can run commands on a system they don't own).
LangGraph versions before 4.0.0 have a remote code execution vulnerability in their caching layer when applications enable cache backends and opt nodes into caching. The vulnerability occurs because the default serializer uses pickle deserialization (a Python feature that can execute arbitrary code) as a fallback when other serialization methods fail, allowing attackers who can write to the cache to execute malicious code.
The zae-limiter library has a security flaw where all rate limit buckets for a single user share the same DynamoDB partition key (the identifier that determines which storage location holds the data), allowing a high-traffic user to exceed DynamoDB's write limits and cause service slowdowns for that user and potentially others sharing the same partition. This vulnerability affects multi-tenant systems, like shared LLM proxies (AI services shared across multiple customers), where one customer's heavy traffic can degrade service for others.
n8n, a workflow automation tool, has a vulnerability where authenticated users with permission to create or modify workflows can exploit expression evaluation (the process of interpreting code within workflow parameters) to execute arbitrary system commands on the host server. This is a serious security flaw because it allows attackers to run unintended commands on the underlying system.
Fix: Upgrade to version 0.2.2 or later, which includes the fix from PR #12.
GitHub Advisory DatabaseOpenAI fired an employee who used confidential company information to make trades on prediction markets (platforms like Polymarket where people bet money on real-world events). The employee's actions violated OpenAI's internal policy against using insider information for personal financial gain.
Fix: Update Gradio to version 6.6.0 or later, which fixes the issue.
NVD/CVE DatabaseFix: Update to Gradio version 6.6.0 or later. Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
NVD/CVE DatabaseFix: Update Gradio to version 6.7 or later, which fixes the issue.
NVD/CVE DatabaseFix: Update to Gradio version 6.6.0, which fixes the issue.
NVD/CVE DatabaseFix: The issue has been fixed in n8n versions 2.6.2 and 1.123.18. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only, and restrict network access to the n8n webhook endpoint to known Zendesk IP ranges. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.10.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can limit access to trusted users and review the practical impact of guardrail bypasses in your workflow, then adjust accordingly (though these workarounds do not fully remediate the risk and should only be used as short-term mitigation).
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: limit workflow creation and editing permissions to fully trusted users only, use a different authentication method for the Chat Trigger node, or restrict network access to the webhook endpoint (the URL that receives Chat Trigger requests) to trusted origins. These workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider these temporary mitigations: (1) Limit workflow creation and editing permissions to fully trusted users only, and (2) Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.4.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should: (1) Limit workflow creation and editing permissions to fully trusted users only, or (2) Disable the MySQL, PostgreSQL, and Microsoft SQL nodes by adding `n8n-nodes-base.mySql`, `n8n-nodes-base.postgres`, and `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: Version 1.8.0 fixes the issue.
NVD/CVE DatabaseFix: Upgrade to langgraph-checkpoint>=4.0.0, which disables pickle fallback by default (pickle_fallback=False).
GitHub Advisory DatabaseFix: The source explicitly describes a remediation design called 'Pre-Shard Buckets' that includes: moving buckets to a new partition key format with sharding (`PK={ns}/BUCKET#{entity}#{resource}#{shard}, SK=#STATE`), auto-injecting a `wcu:1000` reserved limit on every bucket to track DynamoDB write pressure, implementing shard doubling (1→2→4→8) when capacity is exhausted, storing original limits on the bucket with effective limits derived by dividing by shard count, using random or round-robin shard selection with retry logic (maximum 2 retries), lazy shard creation on first access, discovering shards via GSI3 (a secondary index), and implementing a clean break migration with a schema version bump so old buckets are ignored and new buckets are created on first access.
GitHub Advisory DatabaseFix: Upgrade to n8n version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrade is not possible, limit workflow creation and editing permissions to fully trusted users only, and deploy n8n in a hardened environment with restricted operating system privileges and network access. However, these temporary mitigations do not fully remediate the risk.
GitHub Advisory Database