Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
MLflow Tracking Server has a directory traversal (a flaw where an attacker uses special path characters like '../' to access files outside intended directories) vulnerability in its artifact file handler that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability exists because the server doesn't properly validate file paths before using them in operations, letting attackers run code with the permissions of the service account running MLflow.
OpenClaw's ACP bridge (a local communication protocol for IDE integrations) didn't check prompt size limits before processing, causing the system to accept and forward extremely large text blocks that could slow down local sessions and increase API costs. The vulnerability only affects local clients sending unusually large inputs, with no remote attack risk.
This advisory describes a vulnerability in Google Cloud Vertex AI related to predictable bucket naming (a bucket is a container for storing data in cloud storage). The content provided explains the framework used to assess vulnerability severity through metrics like attack vector, complexity, and required privileges, but does not describe the actual vulnerability details, its impact, or how it affects users.
This advisory describes a stored XSS (cross-site scripting, where malicious code is saved and executed when users view a webpage) vulnerability in Google Cloud Vertex AI SDK. The text provided explains the CVSS scoring framework (a 0-10 rating system for vulnerability severity) used to evaluate this vulnerability, covering factors like how an attacker could exploit it, what privileges they need, and what systems could be impacted.
Ray's dashboard HTTP server (a web interface for monitoring Ray clusters) doesn't block DELETE requests from browsers, even though it blocks POST and PUT requests. This allows someone on the same network or using DNS rebinding (tricking a domain to point to a local address) to shut down Serve (Ray's serving system) or delete jobs without authentication, since token-based auth is disabled by default. The attack requires no user interaction beyond visiting a malicious webpage.
OpenClaw's skill packaging script had a vulnerability where it followed symlinks (shortcuts to files stored elsewhere on a computer) while building `.skill` archives, potentially including unintended files from outside the skill directory. This issue only affects local skill authors during packaging and has low severity since it cannot be triggered remotely through the normal OpenClaw system.
OpenClaw, a Discord moderation bot package, had a security flaw where moderation actions like timeout, kick, and ban used untrusted sender identity from user requests instead of verified system context, allowing non-admin users to spoof their identity and perform these actions. The vulnerability affected all versions up to 2026.2.17 and was fixed in version 2026.2.18.
Fickling is a tool that checks whether pickle files (serialized Python objects) are safe to open. Researchers found that Fickling incorrectly marked dangerous pickle files as safe when they used network protocol constructors like SMTP, IMAP, FTP, POP3, Telnet, and NNTP, which establish outbound TCP connections during deserialization. The vulnerability has two causes: an incomplete blocklist of unsafe imports, and a logic flaw in the unused variable detector that fails to catch suspicious code patterns.
OpenClaw is a personal AI assistant with a macOS desktop client that can be triggered through deep links (special URLs that open apps). In versions 2026.2.6 through 2026.2.13, attackers could hide malicious commands by padding messages with whitespace, so users would see only a harmless preview but the full hidden command would execute when they clicked 'Run'. This works because the app only displayed the first 240 characters in the confirmation dialog before executing the entire message.
SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.16.0 had an SSRF vulnerability (server-side request forgery, where an attacker can make the server send requests to internal networks or services it shouldn't access), allowing authenticated users to read responses from internal services and private network resources through the asset download feature.
OpenClaw, an npm package, used SHA-1 (an outdated hashing algorithm with known weaknesses) to create identifiers for Docker and browser sandbox configurations. An attacker could exploit hash collisions (two different configurations producing the same hash) to trick the system into reusing the wrong sandbox, leading to cache poisoning (corrupting stored data) and unsafe sandbox reuse.
Microsoft's Semantic Kernel Python SDK has an RCE vulnerability (remote code execution, where an attacker can run commands on a system they don't own) in the `InMemoryVectorStore` filter functionality, which allows attackers to execute arbitrary code. The vulnerability affects the library used for building AI applications with vector storage (a database that stores AI embeddings, which are numerical representations of data).
CVE-2026-25338 is a missing authorization vulnerability in the Ays Pro AI ChatBot plugin (versions up to 2.7.4), meaning the software fails to properly check whether users have permission to access certain features. This security flaw allows attackers to exploit incorrectly configured access controls (the rules that decide who can do what in the software).
OpenClaw's sandbox configuration had a bug where the `normalizeForHash` function (a process that converts configuration settings into a unique identifier) was sorting arrays containing simple values, causing different array orders to produce identical hashes. This meant that sandbox containers (isolated software environments) weren't being recreated when only the order of configuration settings like DNS or file bindings changed, potentially leaving stale containers in use.
OpenClaw, a session management tool, had a visibility issue in shared multi-user environments where session tools (like `sessions_list` and `sessions_history`) could give users access to other people's session data when they shouldn't have it. Additionally, Telegram webhook mode didn't properly use account-level secret settings as a fallback. The risk is mainly in environments where multiple people share the same agent and don't fully trust each other.
OpenClaw, an npm package, had a vulnerability where Telegram bot tokens (the credentials used to access Telegram's bot API) could leak into logs and error messages because the package didn't hide them when logging. An attacker who obtained a leaked token could impersonate the bot and take control of its API access.
OpenClaw, a Docker sandbox tool, has a configuration injection vulnerability that could let attackers escape the container (a sandboxed computing environment) or access sensitive host data by injecting dangerous Docker options like bind mounts (attaching host directories into the container) or disabling security profiles. The issue affects versions 2026.2.14 and earlier.
OpenClaw, an AI agent tool, had a vulnerability where the current working directory (the folder path where the software is running) was inserted into the AI's instructions without cleaning it first. An attacker could use special characters in folder names, like line breaks or hidden Unicode characters, to break the instruction structure and inject malicious commands, potentially causing the AI to misuse its tools or leak sensitive information.
A query injection vulnerability exists in the `@langchain/langgraph-checkpoint-redis` package, where user-provided filter values are not properly escaped when constructing RediSearch queries (a search system built on Redis). Attackers can inject RediSearch syntax characters (like the OR operator `|`) into filter values to bypass thread isolation controls and access checkpoint data from other users or threads they shouldn't be able to see.
FFmpeg's TensorFlow backend has a bug where a task object gets freed twice in certain error situations, causing a double-free condition (a memory safety error where the same memory is released multiple times). This can crash FFmpeg or programs using it when processing TensorFlow-based DNN models (deep neural network models), resulting in a denial-of-service attack, but it does not allow attackers to run arbitrary code.
Fix: The patched version 2026.2.18 enforces a 2 MiB (2 megabyte) prompt-text limit before combining text blocks, counts newline separator bytes during size checks, maintains final message-size validation before sending to the chat service, prevents stale session state when oversized prompts are rejected, and adds regression tests for oversize rejection and cleanup.
GitHub Advisory DatabaseFix: Update to Ray 2.54.0 or higher. Fix PR: https://github.com/ray-project/ray/pull/60526
GitHub Advisory DatabaseFix: Reject symlinks during skill packaging. Add regression tests for symlink file and symlink directory cases. Update packaging guidance to document the symlink restriction. The fix is available in commit c275932aa4230fb7a8212fe1b9d2a18424874b3f and ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0, with the patched version planned for release as openclaw@2026.2.18.
GitHub Advisory DatabaseFix: Moderation authorization was updated to use trusted sender context (requesterSenderId) instead of untrusted action parameters, and permission checks were added to verify the bot has required guild capabilities for each action. Update to version 2026.2.18 or later.
GitHub Advisory DatabaseFix: The incomplete blocklist issue is fixed in PR #233, which adds the six network-protocol modules (smtplib, imaplib, ftplib, poplib, telnetlib, and nntplib) to the UNSAFE_IMPORTS blocklist. The second root cause (the logic flaw in unused_assignments() function) is noted as unpatched in the source text.
GitHub Advisory DatabaseFix: The issue is fixed in version 2026.2.14. The source also mentions mitigations: do not approve unexpected 'Run OpenClaw agent?' prompts triggered while browsing untrusted websites, and use deep links only with a valid authentication key for trusted personal automations.
NVD/CVE DatabaseFix: The vulnerability has been patched in version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.
NVD/CVE DatabaseFix: Update to version 2026.2.15 or later. The fix replaces SHA-1 with SHA-256 (a stronger hashing algorithm with better collision resistance) for generating these sandbox identifiers.
GitHub Advisory DatabaseFix: Upgrade to python-1.39.4 or higher. As a temporary workaround, avoid using `InMemoryVectorStore` for production scenarios.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.2.15 or later. The fix preserves array ordering during hash normalization, so only object key ordering remains normalized. This ensures that configuration changes affecting array order are properly detected and containers are recreated as needed.
GitHub Advisory DatabaseFix: Update to OpenClaw version 2026.2.15 or later. The fix implements: (1) Add and enforce `tools.sessions.visibility` configuration with options `self`, `tree`, `agent`, or `all`, defaulting to `tree` to limit what sessions users can see. (2) Keep sandbox clamping behavior to restrict sandboxed runs to spawned/session-tree visibility. (3) Resolve Telegram webhook secret from account config fallback in monitor webhook startup. See commit `c6c53437f7da033b94a01d492e904974e7bda74c`.
GitHub Advisory DatabaseFix: Upgrade to openclaw >= 2026.2.15 when released. Additionally, rotate the Telegram bot token if it may have been exposed.
GitHub Advisory DatabaseFix: Upgrade to OpenClaw version 2026.2.15 or later. The fix includes runtime enforcement when building Docker arguments, validation of dangerous settings like `network=host` and `unconfined` security profiles, and security audits to detect dangerous sandbox Docker configurations.
GitHub Advisory DatabaseFix: Update to OpenClaw version 2026.2.15 or later. The fix sanitizes the workspace path by stripping Unicode control/format characters and explicit line/paragraph separators before embedding it into any LLM prompt output, and applies the same sanitization during workspace path resolution as an additional defensive measure.
GitHub Advisory DatabaseFix: The 1.0.2 patch introduces an `escapeRediSearchTagValue()` function that properly escapes all RediSearch special characters (- . < > { } [ ] " ' : ; ! @ # $ % ^ & * ( ) + = ~ | \ ? /) by prefixing them with backslashes, and applies this escaping to all filter keys used in query construction.
GitHub Advisory Database