Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
n8n, a workflow automation tool, has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its Postgres v1 and TimescaleDB nodes. An authenticated user with permission to create or edit workflows could exploit this to run arbitrary SQL commands against connected databases with the privileges of the configured database account.
Fix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. As temporary workarounds, administrators can limit workflow creation and editing permissions to fully trusted users only, or disable the Postgres and TimescaleDB nodes by adding `n8n-nodes-base.postgres` and `n8n-nodes-base.timescaleDb` to the `NODES_EXCLUDE` environment variable. However, the source notes that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseA security flaw in n8n (a workflow automation tool) allowed authenticated users to bypass file access restrictions by using the Git node's Clone and Push operations with local filesystem paths, potentially letting them read files they shouldn't have access to. The vulnerability has been patched in specific versions of n8n.
An authenticated user with permission to create or modify workflows in n8n could escape the Python sandbox (a restricted environment meant to safely run untrusted code) and execute arbitrary code on the task runner container. This vulnerability only affects instances where the Python Task Runner feature is enabled.
vLLM has an authentication bypass vulnerability in its OpenAI API protection. An attacker can craft a request with a specially crafted Host header (containing special characters like `/` or `?`) to trick the authentication check into looking at the wrong URL path, allowing them to use the API without providing the required `VLLM_API_KEY`. This only affects vLLM instances exposed directly to attackers; those behind a proper web server like nginx are protected.
Langflow's Shareable Playground feature allows unauthenticated users to execute public workflows through a special endpoint. This endpoint accepts a list of files that can be read from either the local system or S3 storage (cloud file storage), potentially exposing sensitive files if the workflow is configured to read them. An attacker could craft a request specifying arbitrary file paths to extract data without authentication.
Langflow's Shareable Playground feature contains a critical RCE (remote code execution, where an attacker can run commands on a system they don't own) vulnerability that allows unauthenticated users to execute arbitrary Python code. By sharing a flow and then modifying the code field in the API request to the `/api/v1/build_public_tmp` endpoint, an attacker can run malicious commands on the server.
Langflow has a path traversal vulnerability (a security flaw where an attacker can access files outside intended directories) in its Knowledge Bases API that allows authenticated attackers to create files and directories anywhere on the server by supplying malicious names like '../victim_user/evil_kb' or '/tmp/pwned' to the creation endpoint, potentially compromising data across users and corrupting knowledge bases.
vLLM has a security vulnerability where an `assert` statement (a line of code that checks a condition) used to restrict which activation functions can be loaded is removed when Python runs in optimized mode, allowing attackers to publish malicious models on HuggingFace that execute arbitrary code when loaded.
Langflow's monitor API has 7 endpoints that lack ownership checks, allowing any authenticated user to read, modify, or delete another user's data like messages, sessions, and LLM logs through IDOR/BOLA (insecure direct object references/broken object-level authorization, where an attacker can access resources by guessing or knowing their IDs). The source code shows that the correct ownership-checking pattern exists in one endpoint but was not applied consistently across the other vulnerable endpoints.
LangChain has a path traversal vulnerability (a security flaw where attackers can access files outside an intended directory) in its file-search and configuration-loading components. These components don't properly validate that resolved file paths stay within their intended root directory, allowing attackers to use glob patterns (wildcards like *.txt), symlinks (shortcuts to files), or specially crafted path strings to access files they shouldn't. If an untrusted source, including an LLM, influences the paths or search patterns, attackers could read files outside the intended boundary.
NLTK's nltk.data.load() function has a path traversal vulnerability (CWE-22, an attack that lets someone read files outside intended directories) because it checks for dangerous patterns before decoding URL-encoded characters like %2f (/) and %2e (.). An attacker can bypass protections by URL-encoding traversal sequences (for example, %2fetc%2fpasswd instead of /etc/passwd) and read arbitrary files from the filesystem.
Bleach, a library that removes dangerous content from HTML, has a vulnerability where it fails to block disallowed URI schemes (like javascript:) when Unicode characters (special invisible characters above U+00A0) are inserted into them. While modern browsers won't execute these malformed links, the vulnerability breaks Bleach's safety promise, and if downstream systems normalize these Unicode characters, the dangerous links could become executable.
Cursor, a code editor designed for programming with AI assistance, had a security flaw in versions before 3.0.0 where it would automatically run commands from a settings file (.claude/settings.local.json) without asking the user first. An attacker could create a malicious workspace or file that executes harmful commands on the user's computer when the AI completes a task, potentially allowing them to escape security restrictions, maintain access across sessions, steal local data, or cause further damage.
Netty's RedisArrayAggregator has a vulnerability where it pre-allocates memory (reserves space in a data structure) based on array sizes claimed in incoming messages, without checking if those sizes are reasonable. An attacker can send a message claiming an extremely large array size, causing the system to try reserving huge amounts of memory and crash or become unresponsive, even though they don't send the actual array data.
The W3CBaggagePropagator.extract() function in OpenTelemetry Core does not limit the size of incoming baggage HTTP headers, allowing unbounded memory allocation. While Node.js's default header size limit (16,384 bytes) provides some protection, systems without this limit or using non-HTTP transports (alternative communication methods like messaging systems) are at higher risk.
Kiro IDE, an AI-powered development tool, had a security flaw in versions before 0.11.133 where authentication token cache files (files storing login credentials) were saved with world-readable permissions on macOS and Linux, meaning any user or process on the same computer could read them instead of just the owner.
A vulnerability in HKUDS AI-Trader allowed attackers to access sensitive information through the research export feature by manipulating the /api/research/agents.csv file, and this flaw could be exploited remotely without needing physical access to the system. The vulnerability affects versions up to commit 74caf996f78dcc0c657df8365c8544678a16e215, and the exploit details have been made publicly available.
AgenticMail, a tool that allows AI agents to access email and phone services, has a security flaw in versions before 0.9.27 where the /mcp endpoint (a communication interface) accepts requests without requiring authentication (verification of identity) when started in HTTP mode. This means a remote attacker could connect to the service and use its tools directly to access real email addresses and phone numbers.
Parse Server, an open source backend framework that runs on Node.js, has a vulnerability where attackers can send specially crafted HTTP requests that cause the server to spend seconds or minutes processing a single request before checking user permissions or rate limits. An attacker only needs to know the application's public ID and can overload the server by sending a few concurrent requests or one large request, making it slow or unresponsive for legitimate users.
Budibase's VectorDB configuration endpoint accepts a host parameter with no validation, allowing any authenticated builder-level user to make the server connect to internal IP addresses or cloud metadata endpoints (like AWS's 169.254.169.254). This is an SSRF vulnerability (server-side request forgery, where a server is tricked into making requests to unintended destinations), enabling attackers to scan internal networks, discover running services, and potentially steal cloud credentials.
Fix: Upgrade to n8n version 1.123.48, 2.21.8, or 2.22.4 or later. If immediate upgrading is not possible, administrators can temporarily: (1) restrict workflow creation and editing permissions to fully trusted users only, or (2) disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.48, 2.21.8, and 2.22.4. Users should upgrade to one of these versions or later. As temporary workarounds while upgrading: limit workflow creation and editing permissions to fully trusted users only, or disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: The issue was fixed in PR #12337 by introducing a `_validate_kb_path_containment()` helper function that uses `Path.is_relative_to()` (instead of `startswith()`) to enforce strict path boundaries and prevent traversal attacks. This validation is applied before any filesystem operations, and regression tests were added to verify that traversal payloads return a 403 Forbidden response.
GitHub Advisory DatabaseFix: Replace the `assert` with an explicit conditional raise. The source provides this fix: `if not function_name.startswith("torch.nn.modules."): raise ValueError("Loading of activation functions is restricted to torch.nn.modules for security reasons")`
Hugging Face Security AdvisoriesFix: The patches will canonicalize candidate paths (resolve symlinks to their actual targets) and verify the resolved real path stays within the configured root before reading files; normalize search patterns so they cannot escape the root; make configuration loaders confine resolved path fields and reject symlink escapes unless the caller explicitly enables dangerous loading; enforce path-segment boundaries in path-prefix checks; and make path validation work consistently across different operating systems. Callers that intentionally reference external paths can opt in via the existing dangerous-loading flag.
GitHub Advisory DatabaseFix: Users should upgrade to Bleach 6.4.0. As a workaround, pre-process content to remove non-ASCII characters from URI schemes before sanitizing with bleach.clean, or implement a strong Content-Security-Policy (a security header that restricts what scripts can run on a webpage) without unsafe-inline and unsafe-eval script-srcs.
GitHub Advisory DatabaseFix: Update Cursor to version 3.0.0 or later. According to the source, 'This issue has been fixed in version 3.0.0.'
NVD/CVE DatabaseFix: Update @opentelemetry/core to version 2.8.0 or later. The fix enforces the W3C Baggage specification limits at the propagator level: maximum total baggage size of 8,192 bytes, maximum 180 entries, and maximum per-entry size of 4,096 bytes. Headers exceeding these limits are truncated. Additionally, the source recommends configuring header size limits at the server or gateway level, and for non-HTTP transports receiving baggage from untrusted sources, validate input size before passing it to the propagator.
GitHub Advisory DatabaseFix: Update Kiro IDE to version 0.11.133 or later.
AWS Security BulletinsFix: Apply patch 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65. The vendor confirms the fix requires authentication (proof of identity) and the research_exports capability (a specific permission) to access research export endpoints.
NVD/CVE DatabaseFix: This issue has been patched in version 0.9.27.
NVD/CVE DatabaseFix: Update Parse Server to version 8.6.77 or 9.9.1-alpha.1 or later, as this issue has been patched in these versions.
NVD/CVE Database