Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
ChromaDB Rust (version 1.0.0 and later) has a security flaw where authorization validation (checking whether a user has permission to access data) is missing, allowing any logged-in user to read, write, update, or delete data from any tenant's collection (a storage area for data), even if they shouldn't have access to it. This is rated as HIGH severity with a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.8.
ChromaDB (a Python database project) versions 0.4.17 and later have a code injection vulnerability (CVE-2026-45833) that allows an authenticated attacker (someone with valid login credentials) to run arbitrary code (malicious programs) on the server by sending a malicious model repository when a specific setting is enabled. This vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 9.4, meaning it is critical.
CVE-2026-45832 is a vulnerability in ChromaDB's Python project where V1 collection-level endpoints (API access points for managing data collections) pass None (empty/null values) for the tenant and database parameters to the authorization layer, allowing attackers with login credentials to bypass authorization controls (security checks that verify what users are allowed to do) by using these older endpoints. The vulnerability has a CVSS score (0-10 severity rating) of 8.8, indicating it is high-severity.
ChromaDB Python versions 0.5.0 and later contain a vulnerability in the SimpleRBACAuthorizationProvider (a tool that checks user permissions) where it verifies that a user has permission to do something but fails to check which tenant, database, or collection that permission applies to. This allows users to perform actions across different tenants (separate customer environments) that they shouldn't be able to access.
ChromaDB (a Python tool for managing data collections) version 0.4.17 and later has a security flaw where authorization validation (checking if a user should be allowed to access something) is missing. This allows any user who is already logged in to read, write, change, or delete data in any tenant's collection (a shared workspace), even if they shouldn't have access to it. The severity is rated as HIGH with a CVSS score of 8.8 (a 0-10 scale measuring how serious a vulnerability is).
LangGraph's MongoDBSaver had a NoSQL injection vulnerability (a type of attack where special database commands are sneaked into queries) that allowed attackers to read checkpoint data (saved conversation states) from other users or tenants by injecting MongoDB operators like $gt into identifier fields. This happened because the code didn't enforce that these fields must be strings before using them in database queries.
IBM Langflow OSS versions 1.0.0 through 1.9.1 have a security flaw where authenticated users (those already logged in) can bypass proper access controls using insecure direct object references (IDOR, where an attacker can access other users' data by guessing or modifying object identifiers in requests), allowing them to read or modify sensitive information they shouldn't have access to.
IBM Langflow Desktop versions 1.0.0 through 1.9.2 has a vulnerability called SSRF (server-side request forgery, where an attacker tricks the server into making unauthorized requests on their behalf). An authenticated attacker could use this to perform unauthorized network requests from the system, potentially discovering network information or launching further attacks.
Keras versions before 3.14.0 have a path traversal vulnerability (a security flaw where attackers can access files outside the intended directory) in its archive extraction utilities because the safety checks compare paths against the current working directory instead of the actual extraction destination. When running in environments like Docker containers where the current working directory is set to the filesystem root, attackers can bypass these checks and write malicious files anywhere on the system, potentially compromising configurations, code, and machine learning data.
Netty's RedisArrayAggregator handler has a bug where it leaks pooled direct-memory buffers (reusable chunks of memory managed by the JVM) when a Redis pipeline connection closes before finishing. The handler doesn't clean up its internal state properly, so buffers can't be returned to the shared memory pool, and repeated connection closures eventually cause all network operations in the program to fail due to memory exhaustion.
vLLM (an open-source tool for running large language models) versions 0.8.0 and later have a vulnerability where attackers can crash the server by sending a single request with thousands of video frames packed into one data URL. The vulnerability exists because the code that processes video frames doesn't limit how many frames it will try to load into memory, so an attacker can force it to decode so many frames that the server runs out of memory and stops working.
A vulnerability in Spring Web Services allows attackers to exploit XML parsing by sending malicious XML to applications that evaluate XPath expressions. The flaw occurs because the software uses Java's default XML parser instead of Spring's safer parser configuration, making it susceptible to XXE attacks (XML External Entity attacks, where attackers embed malicious references in XML files to access unauthorized data or execute commands).
A vulnerability in Claude Code Action allowed attackers to run arbitrary code on GitHub Actions runners and steal secrets by creating a pull request with a malicious `.mcp.json` file (a configuration file that tells the system which external tools to enable). The problem occurred because the action automatically checked out the attacker's code, read the malicious configuration file, and unconditionally enabled all project MCP servers (integrations with external tools) without validation.
OpenTelemetry Operator's TargetAllocator has a vulnerability where a tenant who can create or update a ServiceMonitor (a Kubernetes resource that tells Prometheus what to monitor) can trick the Collector into reading arbitrary files from its pod and sending them as authentication credentials to an attacker-controlled endpoint. This allows attackers to steal the Collector's service account token (a credential that proves the pod's identity to Kubernetes) and potentially access sensitive cluster information or files.
vLLM has a vulnerability called Artifact Pin Decay where revision pinning (locking a model to a specific version) doesn't consistently apply to all files and code that a model needs. When operators use `--revision` to lock their deployment to a reviewed version, vLLM can still load related files like weights, image processors, and configuration from the unpinned default version, breaking the safety guarantee that a pinned deployment serves only reviewed code.
LMDeploy, a toolkit for compressing and deploying large language models, has a vulnerability in versions 0.12.3 and earlier where a setting called 'trust_remote_code' is hardcoded to 'True'. This allows an attacker to execute remote code (RCE, meaning they can run commands on a system) through the software supply chain without the user agreeing to it. At the time this vulnerability was published, no patches were available to fix it.
ARM announced CVE-2025-10263, an architectural vulnerability in some ARM processor cores that allows attackers to bypass translation stages (memory protection mechanisms that control which parts of memory different software can access) or GPT protections under certain conditions. An attacker running at a lower privilege level can write to memory that should only be accessible to higher privilege software, allowing them to escalate their access rights, though reading protected memory is not affected by this bug.
CVE-2026-45482 is a path traversal vulnerability (a flaw where an attacker can access files outside the intended directory by manipulating file paths) in GitHub Copilot and Visual Studio Code that allows an unauthorized attacker to bypass a local security feature. The vulnerability has a CVSS 4.0 severity score (a 0-10 rating of how severe a vulnerability is, where higher numbers mean more serious). Details are still being assessed by NIST, and Microsoft has published information about this issue.
Netty's RedisDecoder (a tool that reads Redis protocol messages) has a vulnerability where an attacker can send malformed Redis messages without proper line endings (`\r\n`) across multiple connections, causing the decoder to buffer data indefinitely and exhaust the server's direct memory pool (memory reserved for direct I/O operations), resulting in a DoS (denial of service) attack that prevents legitimate users from connecting.
Fix: Upgrade to @langchain/langgraph-checkpoint-mongodb@1.3.1 or later. Version 1.3.1 adds runtime validation for configurable checkpoint identifiers and rejects invalid values before they reach MongoDB query paths. The patch also includes regression tests covering object and operator payloads. As additional protection, validate identifier fields at API boundaries and avoid passing raw client objects into graph config.
GitHub Advisory DatabaseFix: Update claude-code-action to the latest version. Users referencing anthropics/claude-code-action@v1, anthropics/claude-code-action@beta, anthropics/claude-code-action@main, or other non-pinned tags will have already received this fix.
GitHub Advisory DatabaseFix: PR #5104 adds a `DenyFSAccessThroughSMs` feature that causes the Target Allocator to drop ServiceMonitor and PodMonitor endpoints that reference arbitrary files on the filesystem. When enabled, endpoints with `bearerTokenFile`, `tlsConfig.caFile`, `tlsConfig.certFile`, or `tlsConfig.keyFile` are dropped from the produced scrape configuration while remaining endpoints are kept.
GitHub Advisory DatabaseOpenAI discovered and banned two clusters of ChatGPT accounts likely from China that were running covert influence operations (hidden campaigns to manipulate public opinion) to shape American debates about AI policy. One cluster spread false claims that data centers were raising electricity prices, while the other criticized US tariffs while excluding China's leader from discussions, and OpenAI is publishing these findings to help the industry, governments, and the public identify and stop similar foreign manipulation attempts.