Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
The `kubectl_generic` tool in `mcp-server-kubernetes` accepts any kubectl flags without validation, allowing an attacker to inject flags like `--server=https://attacker.com` and `--insecure-skip-tls-verify=true`. When a privileged operator uses the MCP server and an AI agent follows injected instructions in logs, kubectl sends the operator's Kubernetes bearer token (authentication credential) to the attacker's server, which can then be replayed to gain full cluster access.
A vulnerability exists in ONNX MLIR (a tool that converts machine learning models to code) versions up to 0.5.0.0 where the generate_hash_key function uses a weak hash (a simple algorithm for converting data into a fixed-length code that is easy to reverse or predict). The vulnerability requires local access to exploit and is difficult to execute in practice.
OpenAI Atlas versions before 1.2025.288.15 had a security flaw where privileged browser APIs (special functions that control browser features) were exposed to web content on OpenAI domains, and a cross-site scripting vulnerability (a type of attack where malicious code is injected into a website) on forum.openai.com could be exploited to access browser history and control tabs. The vulnerability was caused by improper access control (failing to properly restrict who can use certain functions).
CVE-2026-47644 is an injection vulnerability (a flaw where specially crafted input is not properly filtered before being used by another part of the system) in Microsoft Edge's Copilot Chat that allows an attacker to disclose information over a network without authorization. The vulnerability involves improper neutralization of special elements in output, meaning the system doesn't properly clean or validate data before passing it to other components.
CVE-2026-45497 is a command injection (a flaw where special characters in user input are not properly filtered, allowing an attacker to insert and run unintended commands) vulnerability in Microsoft Copilot that lets an authorized attacker execute code over a network. The vulnerability has not yet received a CVSS score (a 0-10 rating of how severe a vulnerability is) from NIST.
CVE-2026-42824 is a command injection vulnerability (a flaw where an attacker inserts malicious commands into user input that gets executed by the system) in Microsoft 365 Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements in commands. A CVSS score (a 0-10 rating of how severe a vulnerability is) has not yet been assigned by NIST.
OpenMeter has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its meter creation endpoint. An authenticated tenant can inject arbitrary SQL through the `valueProperty` or `groupBy` fields, bypassing validation and executing commands against the shared ClickHouse database (the system that stores event data for all tenants), allowing any tenant to read or modify other tenants' metering data.
A vulnerability exists in Milvus (a vector database software) versions up to 2.6.13 where the Grantee ID Hash Handler component uses weak hash (a cryptographic function that is easy to break). An attacker would need local access to the system and would face high complexity in exploiting it, though the vulnerability details have been publicly disclosed.
Streamlit versions up to 1.53.0 contain a vulnerability in the hashing function (a process that converts data into a fixed-size code for security purposes) within its caching system that uses weak cryptographic methods. The vulnerability is difficult to exploit as it requires local access (being on the same computer) and high technical complexity, though it has been disclosed publicly.
MLflow versions up to 3.10.0 contain a vulnerability in the dataset digest computation function that uses weak cryptographic hashing (a mathematical function that converts data into a fixed-size code, but this version uses an insecure version). The flaw requires local access to exploit and is difficult to execute, but a working exploit has been published.
LibreChat (a ChatGPT-like tool that connects to multiple AI providers) has a security flaw in versions up to 0.8.3 where someone with editing access to a shared agent can delete files globally, breaking the owner's separate private agents that use the same files. This is a cross-agent integrity violation, meaning one agent's access should not affect another agent's files.
LibreChat, a ChatGPT-like application supporting multiple AI providers, has a vulnerability in versions up to 0.8.3 where users with limited VIEW access can retrieve encrypted admin passwords and API keys through specific API endpoints, exposing credentials that should remain secret. This happens because the API returns plaintext sensitive values instead of hiding them from non-admin users.
LibreChat, a ChatGPT-like tool that works with multiple AI providers, has a vulnerability in versions up to 0.8.3 where it unsafely replaces environment variable placeholders (like ${VAR}) when validating user-provided server URLs. An authenticated attacker can create a malicious server configuration that tricks LibreChat into sending sensitive secrets like encryption keys and database credentials to an attacker-controlled server, compromising the entire installation without needing admin access.
LibreChat, a ChatGPT-like application supporting multiple AI providers, has an IDOR vulnerability (insecure direct object reference, where an attacker can access or modify resources belonging to other users) in its API key management system in versions up to 0.7.6. An authenticated attacker can inject a userId parameter to overwrite another user's API keys, potentially stealing their API key configurations or blocking their service.
OpenMed versions before 1.5.2 have a remote code execution vulnerability (RCE, where attackers can run commands on the affected system) in how it loads privacy-filter models. The vulnerability exists because the software uses overly broad pattern matching on user-supplied model names, allowing attackers to trick it into loading malicious code from external sources. An unauthenticated attacker can exploit this by providing a fake model repository containing harmful code that gets executed with the same permissions as the OpenMed service.
Kiro IDE (an AI agent that runs on your desktop) has a vulnerability where attackers can trick it into writing files to sensitive locations (like .vscode/tasks.json, which automatically runs code when you open a folder), allowing them to execute arbitrary commands (run code they choose). This affects all versions before 0.11.
MLflow 3.9.0 with basic authentication has a missing authorization check bug where three Gateway API endpoints (ListGatewaySecretInfos, ListGatewayEndpoints, ListGatewayModelDefinitions) don't validate user permissions properly, allowing any logged-in user to see sensitive information like API keys and model configurations they shouldn't access.
CodexBar versions before 0.32.0 have a session cookie leakage vulnerability where attackers on the network can intercept imported browser session cookies by exploiting how the software handles redirects (automatic forwarding between web addresses) for Amp and Ollama providers. An attacker positioned between a user and the network can capture sensitive session cookies (small files that store login information) when they are sent unencrypted over HTTP (the unencrypted version of web communication).
F5-TTS (a text-to-speech software) through version 1.1.20 has a path traversal vulnerability (a flaw where attackers can access files outside the intended directory) in its finetune Gradio handlers (components that process fine-tuning requests). Unauthenticated attackers can exploit this by providing malicious project names that aren't checked, allowing them to write arbitrary files anywhere on the server's filesystem.
Fix: Apply patch 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4 to resolve this issue.
NVD/CVE DatabaseFix: Users should upgrade to OpenAI Atlas version 1.2025.288.15 or later, which narrows access to these APIs to only the *.chatgpt.com domain.
NVD/CVE DatabaseFix: Replace `fmt.Sprintf` string interpolation with `sb.Var()`, which appends the value to the builder's args list and emits a `?` placeholder. Specifically, change: `sb.Select(fmt.Sprintf("JSON_VALUE('{}', '%s')", sqlbuilder.Escape(d.jsonPath)))` to `sb.Select(fmt.Sprintf("JSON_VALUE('{}', %s)", sb.Var(d.jsonPath)))`.
GitHub Advisory DatabaseFix: Apply the patch identified as 3d932f1c3e065351c4440c27abe1e6479752544d to fix this issue.
NVD/CVE DatabaseFix: Version 0.8.4 contains a patch.
NVD/CVE DatabaseFix: Version 0.8.4 contains a patch. The source also recommends these additional approaches: never return decrypted admin-managed secrets to non-owners; redact apiKey.key and oauth.client_secret from all API responses; consider returning only boolean presence indicators for secrets (true/false flags showing whether a secret exists, similar to the auth-values route pattern); and if owners need to edit configs without re-entering secrets, preserve secrets server-side and return placeholders instead of plaintext values.
NVD/CVE DatabaseFix: This is patched in version 0.8.4-rc1.
NVD/CVE DatabaseFix: This vulnerability is patched in version 0.8.3-rc1.
NVD/CVE DatabaseFix: Update to OpenMed version 1.5.2 or later.
NVD/CVE DatabaseFix: Update Kiro IDE to version 0.11 or later.
AWS Security BulletinsCVE-2022-0492 is a privilege escalation (gaining unauthorized higher-level access to a system) vulnerability in the Linux Kernel that exploits a feature called cgroups v1 release_agent. This vulnerability is currently being actively exploited by attackers in the wild, making it a serious threat to systems running affected Linux versions.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Consult with specific vendors for information on patching status.
CISA Known Exploited VulnerabilitiesFix: Update CodexBar to version 0.32.0 or later. The fix is referenced in commit cdd7e347c1cf616615f18aa2ac52ba2ec9cab332 and release v0.32.0.
NVD/CVE Database