Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
n8n, a workflow automation tool, has a vulnerability where authenticated users with permission to create or modify workflows can exploit expression evaluation (the process of interpreting code within workflow parameters) to execute arbitrary system commands on the host server. This is a serious security flaw because it allows attackers to run unintended commands on the underlying system.
Fix: Upgrade to n8n version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrade is not possible, limit workflow creation and editing permissions to fully trusted users only, and deploy n8n in a hardened environment with restricted operating system privileges and network access. However, these temporary mitigations do not fully remediate the risk.
GitHub Advisory Databasen8n (a workflow automation tool) has a vulnerability where an authenticated user with workflow editing permissions could combine the Read/Write Files from Disk node (a component that modifies files on the server) with git operations (version control commands) to execute arbitrary shell commands (any commands an attacker chooses) on the n8n server. This requires the attacker to already have valid user access.
n8n, a workflow automation tool, has a vulnerability where authenticated users with workflow editing permissions could use the Merge node's SQL query mode to execute arbitrary code (running any commands they want on the server) and write files to the n8n server. This is a serious security issue because it lets trusted insiders cause significant damage.
n8n, a workflow automation tool, has a sandbox escape vulnerability in its JavaScript Task Runner that lets authenticated users run code outside the sandbox (a restricted environment for running untrusted code). On default setups, this could give attackers full control of the n8n server, while on systems using external task runners, attackers could impact other workflows.
n8n had a vulnerability in its Form nodes where an unauthenticated attacker could inject malicious code by submitting specially crafted form data that starts with an equals sign (=), which the system would then execute as an expression. While this vulnerability alone is limited, it could potentially lead to remote code execution if combined with another type of attack that bypasses n8n's expression sandbox (a security boundary that restricts what code can access).
LangChain's `RecursiveUrlLoader` component had a security flaw where it would validate an initial website address but then automatically follow redirects (automatic jumps to different URLs) without checking them, allowing attackers to redirect from a safe public URL to internal or sensitive endpoints. This vulnerability was fixed in version 1.1.18 of the `@langchain/community` package.
Fickling (a Python library for analyzing pickle files, a Python serialization format) has a safety bypass where dangerous operations like network connections and file access are falsely marked as safe when certain opcodes (REDUCE and BUILD, which are pickle instructions) appear in sequence. Attackers can add a simple BUILD opcode to any malicious pickle to evade all five of fickling's safety detection methods.
Enclave is a secure JavaScript sandbox designed to safely run code from AI agents, but versions before 2.11.1 had a vulnerability that allowed attackers to escape the security boundaries and achieve RCE (remote code execution, where an attacker can run commands on a system they don't own). This weakness is related to code injection (CWE-94, a type of bug where untrusted input is used to generate code that gets executed).
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have a CSRF vulnerability (cross-site request forgery, where an attacker tricks a logged-in user into unknowingly sending requests to a website). An attacker can create a malicious webpage that, when visited by someone authenticated to Parse Dashboard, forces their browser to send unwanted requests to the AI Agent API endpoint without their knowledge. This vulnerability is fixed in version 9.0.0-alpha.8 and later.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have a security flaw in the AI Agent API endpoint (a feature for managing Parse Server apps) where authorization checks are missing, allowing authenticated users to access other apps' data and read-only users to perform write and delete operations they shouldn't be allowed to do. Only dashboards with the agent feature enabled are vulnerable to this issue.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have security vulnerabilities in the AI Agent API endpoint that allow unauthenticated attackers to read and write data from any connected database using the master key (a special admin credential that grants full access). The agent feature must be enabled to be vulnerable, so dashboards without it are safe.
A security vulnerability exists in the `MarkdownRenderer.jsx` component where it uses `dangerouslySetInnerHTML` (a React feature that directly inserts HTML code without filtering) to display content generated by the AI model, allowing XSS (cross-site scripting, where attackers inject malicious code that runs in a user's browser). This means if the model outputs code containing `<script>` tags, those scripts will execute automatically, potentially redirecting users or performing other harmful actions, and the problem persists even after closing the chat because the malicious script gets saved in the chat history.
OpenClaw, a personal AI assistant, had a security flaw in versions 2026.2.13 and below on macOS where OAuth tokens (authentication credentials that prove you're logged in) could be used to inject malicious OS commands (commands that run at the operating system level) into the credential refresh process. An attacker could exploit this by crafting a specially designed token to execute arbitrary commands on the affected system.
OpenSift is an AI study tool that uses semantic search (finding information based on meaning rather than exact keyword matches) and generative AI to analyze large datasets. Versions 1.1.2-alpha and earlier have a vulnerability where multiple operations happening at the same time can corrupt or lose data in local JSON files (a common data storage format), affecting study notes, quizzes, flashcards, and user accounts.
OpenSift, an AI study tool that searches through large datasets using semantic search (finding similar content based on meaning) and generative AI, has a vulnerability in versions 1.1.2-alpha and below where it can be tricked into requesting unsafe internet addresses through its URL ingest feature (the part that accepts web links as input). An attacker could exploit this to access private or local network resources from the computer running OpenSift.
OpenSift, an AI study tool that uses semantic search (finding information by meaning rather than exact keywords) and generative AI to analyze large datasets, has a vulnerability in versions 1.1.2-alpha and below where untrusted content is rendered unsafely in the chat interface, allowing XSS (cross-site scripting, where attackers inject malicious code that runs in a user's browser). An attacker who can modify stored study materials could execute JavaScript code when a legitimate user views that content, potentially letting the attacker perform actions as that user within the application.
MLflow contains a vulnerability (CVE-2026-2635) where hard-coded default credentials are stored in the basic_auth.ini file, allowing remote attackers to bypass authentication without needing valid login information and potentially execute code with administrator privileges. This flaw exploits the use of default passwords, a common security mistake where systems ship with unchangeable built-in login credentials.
TensorFlow has a vulnerability where it loads plugins from an unsafe location, allowing attackers who already have low-level access to a system to gain higher privileges (privilege escalation, where an attacker gains elevated permissions to do things they normally couldn't). An attacker exploiting this flaw could run arbitrary code (any commands they choose) with the same permissions as the target user.
Fix: The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: (1) Limit workflow creation and editing permissions to fully trusted users only, or (2) Disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: The vulnerability is fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22 or later. If upgrading immediately is not possible, administrators can temporarily restrict workflow creation and editing permissions to only fully trusted users, or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable (a configuration setting that tells n8n which features to turn off). Note: these workarounds do not fully eliminate the risk and are only short-term measures.
GitHub Advisory DatabaseFix: Upgrade to n8n version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrade is not possible, temporarily limit workflow creation and editing permissions to trusted users only, or use external runner mode by setting N8N_RUNNERS_MODE=external to reduce potential damage.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily: (1) manually review form nodes to check if they have the problematic configuration, (2) disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable, or (3) disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: Upgrade to `@langchain/community` version 1.1.18. This version disables automatic redirects (`redirect: "manual"`), validates each redirect target with `validateSafeUrl()` before following it, and implements a maximum redirect limit to prevent infinite loops.
NVD/CVE DatabaseFix: Potentially unsafe modules have been added to a blocklist in https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400.
GitHub Advisory DatabaseFix: Update to version 2.11.1 or later. The issue has been fixed in version 2.11.1.
NVD/CVE DatabaseFix: Update to version 9.0.0-alpha.8 or later, which adds CSRF middleware (code that checks requests are legitimate) to the agent endpoint and embeds a CSRF token (a secret code) in the dashboard page. Alternatively, remove the `agent` configuration block from your dashboard configuration file as a temporary workaround.
NVD/CVE DatabaseFix: Update to version 9.0.0-alpha.8 or later, which adds authorization checks and restricts read-only users to a limited key with write permissions removed server-side (the server prevents writes even if requested). As a temporary workaround, remove the `agent` configuration block from your dashboard configuration file.
NVD/CVE DatabaseFix: Upgrade to version 9.0.0-alpha.8 or later, which adds authentication, CSRF validation (protection against forged requests), and per-app authorization middleware to the agent endpoint. Alternatively, remove or comment out the agent configuration block from your Parse Dashboard configuration file as a temporary workaround.
NVD/CVE DatabaseFix: The source text suggests that 'the preview may be placed in an iframe sandbox' (a restricted container that limits what code can do) and 'dangerous html strings should be purified before rendering' (cleaning the HTML to remove harmful elements before displaying it). However, these are listed as 'Potential Workaround' suggestions rather than confirmed fixes or patches.
GitHub Advisory DatabaseAnthropic accused three Chinese AI companies (DeepSeek, Moonshot AI, and MiniMax) of using distillation (a technique where one AI model learns from another by analyzing its outputs) to illegally extract capabilities from Claude by creating over 24,000 fake accounts and generating millions of interactions. This theft targeted Claude's most advanced features like reasoning, tool use, and coding, and raises security concerns because stolen models may lack safeguards against misuse like bioweapon development.
Fix: Anthropic stated it will 'continue to invest in defenses that make distillation attacks harder to execute and easier to identify,' and is calling on 'a coordinated response across the AI industry, cloud providers, and policymakers.' The company also argues that export controls on advanced AI chips to China would limit both direct model training and the scale of such distillation attacks.
TechCrunchOpenAI's monitoring tools flagged an 18-year-old user's chats on ChatGPT (a large language model chatbot) that described gun violence, leading to the account being banned in June 2025. The company debated whether to alert Canadian police but decided the chats didn't meet reporting criteria, though OpenAI later contacted authorities after the user allegedly killed eight people in a mass shooting in Canada.
Fix: Update to version 2026.2.14 or later. According to the source, 'This issue has been fixed in version 2026.2.14.'
NVD/CVE DatabaseFix: This issue has been fixed in version 1.1.3-alpha. Users should upgrade to version 1.1.3-alpha or later.
NVD/CVE DatabaseFix: This issue has been fixed in version 1.1.3-alpha. As a temporary workaround for trusted local-only exceptions, use the setting OPENSIFT_ALLOW_PRIVATE_URLS=true, but this should be used with caution.
NVD/CVE DatabaseFix: This issue has been fixed in version 1.1.3-alpha.
NVD/CVE Database