Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
PraisonAI (a framework for building AI agents) versions 4.6.37 and earlier have a vulnerability where hidden metadata in webpages can trick AI agents into writing files to any location on a system. The bug happens because the `write_file` function skips path validation (checking whether a file path is safe) when the workspace parameter is `None`, which is the default in production environments.
Fix: Set a default workspace directory and validate that file paths stay within it. The fix involves: (1) replacing `None` workspace with the current working directory using `workspace = os.getcwd()`, and (2) checking that the absolute path stays within the workspace using `is_path_within_directory(abs_path, workspace)` before writing, returning an error if the path is outside the workspace.
GitHub Advisory DatabasePraisonAI's example A2A server (a type of agent-to-agent communication system) has a critical vulnerability where unauthenticated remote clients can execute arbitrary Python code. The vulnerability exists because the example exposes the server without authentication, binds it to all network interfaces (0.0.0.0), and registers a 'calculate' tool that uses Python's eval() function (which executes any code passed to it as a string). An attacker can send a specially crafted request that tricks the AI model into calling this unsafe tool, leading to RCE (remote code execution).
PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability that allows attackers to execute arbitrary commands on the host system. The vulnerability exploits four gaps in security validation: the `__self__` attribute (which retrieves the real Python builtins module) is not blocked, the `vars()` function is not restricted, attribute-based function calls bypass checks, and string concatenation bypasses string constant filters. An attacker can use these gaps to access the `__import__` function and run OS commands, completely defeating the sandbox protection.
PraisonAI version 4.6.33 generates a Flask API server with authentication disabled by default when users run `praisonai deploy --type api`. The server exposes endpoints like `/chat` and `/agents` that accept unauthenticated requests and can execute user-supplied commands with access to API keys stored in the environment.
FastGPT, an AI Agent building platform, had a vulnerability in its JavaScript sandbox worker that failed to properly block dynamic imports (a way to load code at runtime). An attacker could bypass the security filter using a comment syntax (import/**/("child_process")) that the filter didn't recognize, allowing them to execute arbitrary commands inside the sandbox container.
FastGPT, an AI Agent building platform, had a Server-Side Request Forgery (SSRF) vulnerability (a flaw that lets attackers trick a server into making requests to internal systems it shouldn't access) in versions before 4.15.0-beta1. An authenticated attacker could bypass security protections and make unauthorized requests to internal network services by exploiting an incomplete fix in the dataset preview endpoint when using the externalFile data import type.
A sandbox escape vulnerability in nono (a sandboxing tool using Landlock/seccomp, which are Linux security features that restrict what programs can do) allows processes running inside the sandbox to break out by communicating with systemd D-Bus sockets (the inter-process communication system that manages user services). An AI agent or untrusted tool with bash access could exploit this to write files or run commands outside the sandbox with the user's permissions.
Langroid versions before 0.63.0 have a vulnerability where SQLChatAgent (a tool that lets an AI execute SQL queries) can be tricked through prompt injection (hiding malicious instructions in input data) into running dangerous SQL commands. If the database is configured with elevated privileges, an attacker can achieve RCE (remote code execution, where an attacker runs commands on a system they don't own) on the database server, potentially stealing or deleting data.
IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.0 has a vulnerability that allows a denial of service attack, which is when an attacker overwhelms a system with requests to make it unavailable. The problem is caused by uncontrolled resource consumption (the system fails to limit how much memory, CPU, or other resources a single request can use).
IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.1 has a vulnerability that could allow remote code execution (running malicious code on a system from a distance) because it doesn't properly validate symbolic links (shortcuts that point to files) when extracting archive files. This is a path traversal (CWE-22) weakness, meaning an attacker could potentially access or execute files outside the intended directory.
Network-AI v5.4.4 has a critical authentication bypass where the MCP server (a tool that lets AI models call external functions) defaults to an empty secret, causing all authentication checks to pass unconditionally. Additionally, the server allows requests from any origin (CORS wildcard), so an attacker can trick a user into visiting a malicious website that sends commands to their localhost Network-AI server without needing any password, potentially invoking dangerous tools like config_set and agent_spawn.
Twig (a PHP template engine) has a vulnerability where template names in `{% use %}` tags aren't properly escaped, allowing attackers to inject arbitrary PHP code that executes when the template cache loads. This bypasses Twig's security sandbox, giving attackers remote code execution (the ability to run commands on the server).
LiteLLM versions before 1.83.10 have a vulnerability where users can change their own role to proxy_admin (an administrative role) through the /user/update endpoint, giving them full control over the system including all users, teams, and API keys. Even users with org_admin privileges can exploit this flaw without needing to chain it with other attacks.
LiteLLM versions before 1.83.14 have a privilege escalation vulnerability (a security flaw that lets someone gain higher-level permissions than they should have) where authenticated internal users can create API keys (credentials for accessing the system) that grant access to admin-only routes without proper verification. This allows attackers to bypass role-based access controls (the system that restricts what different users can do) and gain full admin privileges.
Flowise has a security flaw in its `/api/v1/chatflows/apikey` endpoint that allows a user with a valid API key to view chatflow configurations (including system prompts, workflow graphs, and credential IDs) from other workspaces, as long as those chatflows don't have an API key assigned. The endpoint returns both the user's own chatflows and all unprotected chatflows across the entire system without filtering by workspace, breaking the isolation between workspaces.
Flowise has a mass assignment vulnerability in its PUT /api/v1/user endpoint that lets authenticated users directly change their password hash without verifying their old password. An attacker with a stolen session token can send a crafted request that overwrites the credential field, bypassing password verification, hashing enforcement, and policy validation, which gives them permanent access to the account.
A security flaw in n8n (a workflow automation tool) allowed authenticated users to bypass restrictions on which websites could receive sensitive credentials, potentially exposing them. The vulnerability was in an endpoint (a URL that accepts requests) that didn't properly check the intended security rules before sending data to external servers.
The `download_media` and `auth_fetch` tools in auth-fetch-mcp accept any URL without validation, allowing an attacker (via prompt injection or a malicious MCP client) to make the server fetch from private or internal services like cloud metadata endpoints or localhost, and then exfiltrate the response data. The `download_media` tool makes this worse by saving fetched content to disk where it can be read and stolen.
In n8n-mcp (a tool that bridges AI agents to n8n workflow automation) running in multi-tenant mode, requests missing tenant identification headers would fall back to using the operator's own n8n credentials, allowing an authenticated tenant to access or modify the operator's workflows and data instead of their own. This only affects shared multi-tenant deployments, not single-tenant setups.
Open WebUI, a self-hosted AI platform that runs offline, had a security flaw in versions before 0.9.5 where it only checked the first URL a user submitted but didn't check where that URL redirected to (HTTP redirects are automatic forwards to different addresses). This meant authenticated users could trick the system into accessing internal addresses like 127.0.0.1 or 169.254.169.254 (special private IP addresses) and read sensitive data from those internal systems.
Fix: Enable authentication by explicitly setting `APIConfig(auth_enabled=True, auth_token=...)` when deploying the API server.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 4.15.0-beta1.
NVD/CVE DatabaseFix: Update FastGPT to version 4.15.0-beta1 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: The source states: 'Support for restricting this behavior has since been added and the fix is available in the repository pending release.' However, no specific version number, patch details, or explicit mitigation steps are provided in the text.
GitHub Advisory DatabaseFix: Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist (a list of approved SQL operations) with a dialect-aware dangerous-pattern blocklist. Users can restore the previous unrestricted behavior by setting allow_dangerous_operations=True, but only for trusted deployments.
GitHub Advisory DatabaseFix: `Compiler::string()` now escapes single quotes in addition to the characters it previously escaped, preventing template names from breaking out of the surrounding PHP string context.
GitHub Advisory DatabaseFix: Update LiteLLM to version 1.83.10 or later.
NVD/CVE DatabaseFix: Update LiteLLM to version 1.83.14 or later.
NVD/CVE DatabaseFix: The issue has been fixed in n8n version 2.20.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access to fully trusted users only and limit credential sharing to users who genuinely require access to those credentials, though these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The source text describes the fix shape but does not provide an explicit implementation or version update: 'after URL parsing, resolve to IP, reject if private/loopback/link-local. Same defense as the well-known SSRF-guard pattern shipped by other MCP fetchers in the ecosystem (e.g., `Akitaroh/scraper-mcp` `src/security/url-guard.ts`).' However, no patched version, release number, or completed code fix is provided in the source.
GitHub Advisory DatabaseFix: Fixed in n8n-mcp 2.51.2. The fix rejects requests without proper tenant headers at the HTTP edge with a 400 error before processing, prevents the system from using fallback operator credentials when in multi-tenant mode, and blocks secondary leaks in health checks and other handlers. Upgrade via 'npx n8n-mcp@latest' (NPM) or 'docker pull ghcr.io/czlonkowski/n8n-mcp:latest' (Docker). Workarounds if upgrading immediately is not possible: disable multi-tenant mode and run separate instances per tenant, use a proxy to reject requests missing both tenant headers, or restrict the operator API key to minimum required permissions if your n8n supports scoping (Enterprise or compatible Community Edition builds).
GitHub Advisory DatabaseFix: This vulnerability is fixed in 0.9.5.
NVD/CVE Database