AI & LLM Vulnerabilities

An attacker can crash a server using Netty (a networking library) by sending a malicious Redis message (a command sent to a Redis database) with deeply nested arrays. The RedisArrayAggregator component doesn't limit how many array layers it accepts, so an attacker can send thousands of nested arrays that force the server to create so many state objects that it runs out of memory and crashes.

```json { "summary": "A vulnerability (CVE-2026-11393) exists in AWS AgentCore CLI, a tool for managing AI agents on Amazon Bedrock. An attacker with certain permissions could inject malicious Python code by exploiting improper escaping of triple-quote characters (""") in a specific field, allowing the attacker's code to run if the generated file is executed. The vulnerability affects versions 0.4.0 through 0.14.1 and certain preview versions.", "solution": "N/A -- no mitigation discussed in

Flowise, a tool that provides a drag-and-drop interface for building customized large language model workflows, had a vulnerability in versions before 3.1.2 that allowed attackers to take over evaluators across different workspaces through mass-assignment (a type of security flaw where an attacker can modify multiple object properties at once that they shouldn't be able to change). The vulnerability has been patched in version 3.1.2.

Flowise is a tool with a drag-and-drop interface for building custom AI workflows. Before version 3.1.2, it had a vulnerability where mass-assignment (improperly allowing users to modify system fields they shouldn't access) let attackers take over evaluations across different workspaces, even if they didn't have permission.

Flowise is a visual tool for building customized LLM (large language model) workflows. Before version 3.1.2, it had a mass-assignment vulnerability (a flaw where attackers can modify object properties they shouldn't access) that allowed users to take over dataset rows across different workspaces, with a high severity rating of 7.7.

Flowise, a drag-and-drop tool for building customized AI workflows, had a vulnerability before version 3.1.2 that allowed attackers to take over datasets across different workspaces through mass-assignment (a flaw where an attacker can modify object properties that shouldn't be exposed). The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 7.7, indicating it is high severity.

Flowise is a drag-and-drop tool for building custom large language model workflows. Before version 3.1.2, it had a mass-assignment vulnerability (a security flaw where unintended data fields can be modified) in its CustomTemplate feature that could let attackers take over templates across different workspaces. This issue has been fixed in version 3.1.2.

Flowise is a tool with a drag-and-drop interface for building customized AI workflows. Before version 3.1.2, it had a mass-assignment vulnerability (a type of security flaw where an attacker can modify data they shouldn't have access to) that allowed someone to take over assistants across different workspaces by manipulating how the system creates and updates assistants.

Flowise, a tool with a drag-and-drop interface for building custom AI workflows, had a security flaw in versions before 3.1.2 where certain endpoints (API routes, which are web addresses that accept requests) for managing OpenAI Assistants Vector Store lacked proper access controls. This meant that even though these endpoints required an API key (a credential for authentication), they didn't actually verify whether users had permission to perform their requested actions.

Flowise is a tool with a drag-and-drop interface for building customized workflows with large language models (LLMs, AI systems trained on massive amounts of text). Before version 3.1.2, the software had a bug where sensitive encrypted credential data was being exposed in API responses when users filtered credentials by name, even though the same data was properly hidden when no filter was used. This is a high-severity security issue because it could allow someone with basic access to view encrypted passwords or API keys they shouldn't see.

Flowise, a tool for building customized AI workflows through a drag-and-drop interface, has a mass assignment vulnerability (a bug where attackers can modify fields they shouldn't be able to change) in versions before 3.1.2 that lets authenticated users reassign assistants to different workspaces by manipulating the workspaceId field, breaking the isolation between separate user workspaces in multi-user environments.

Three security vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were found in runc, a component used by container management systems (tools that package and run isolated software environments). AWS says these issues don't create cross-customer risk because AWS doesn't rely on containers as a security boundary (a protective barrier between different users). AWS customers using containers to isolate their own internal workloads should contact their operating system vendor for updates.

AWS discovered two security vulnerabilities in the SageMaker Python SDK (a library for machine learning on Amazon's platform). The first flaw exposes HMAC keys (cryptographic secrets that verify data hasn't been tampered with) through an API, allowing attackers to forge fake data in cloud storage. The second flaw disables SSL certificate verification (the security check that confirms you're connected to a legitimate server), affecting all encrypted connections when a certain model component is used.

A vulnerability (CVE-2026-0830) in Kiro IDE, a desktop application that helps developers with code tasks, allows attackers to run arbitrary commands (command injection, where an attacker executes unauthorized code) on a user's computer by tricking them into opening a workspace with specially crafted folder names. This bug affects Kiro versions before 0.6.18.

Amazon Q Developer and AWS Kiro, which are AI tools that help developers write code, have security vulnerabilities related to prompt injection (tricking the AI by hiding malicious instructions in files or suggestions). Attackers could potentially execute commands or steal sensitive information without the developer's knowledge. AWS has released multiple software updates that require human confirmation before executing risky commands.

PraisonAI Platform has an IDOR (insecure direct object reference, a flaw where users can access resources they shouldn't by guessing object IDs) vulnerability in its agent management endpoints. A user who belongs to any workspace can read, modify, or delete agents from other workspaces by guessing their agent IDs, because the code checks if the user belongs to *some* workspace but never verifies the agent actually belongs to that workspace.