AI & LLM Vulnerabilities

A vulnerability in the python-utcp library exposed all environment variables (including secrets like API keys and database passwords) to subprocesses because the `_prepare_environment()` function copied the entire host environment. When combined with a command injection flaw (CWE-78, where an attacker can sneak malicious commands into tool arguments), an attacker could steal sensitive credentials like AWS keys, database connection strings, and LLM API keys in a single tool call.

Any authenticated user can permanently delete files owned by other users in Open WebUI when those files are referenced in shared chats, because the authorization check (the code that verifies whether a user should be allowed to perform an action) ignores both the user's identity and the type of operation being requested. File IDs can be discovered by users with read access to knowledge bases (repositories of documents), making this vulnerability practical to exploit.

Open WebUI has a security flaw where authenticated users can access and modify other users' private files by exploiting two endpoints that don't properly check file ownership. In the first case, attackers can inject victim file IDs into their own folders to make the AI read private documents as context. In the second case, attackers can attach victim files to their own knowledge bases (collections of documents used for RAG, retrieval-augmented generation) to read and overwrite those files entirely.

FlowiseAI's OpenAI Assistants Vector Store endpoints lack permission checks, allowing any authenticated user to create, modify, delete, or upload files to vector stores regardless of their assigned role. This missing authorization (CWE-306, a security weakness where critical functions don't verify user permissions) has a severity score of about 8.1, meaning attackers with basic access could steal or destroy data.

FlowiseAI has a vulnerability where encrypted credential data (like API keys and passwords) is accidentally exposed when users request credentials using a filter parameter. The code correctly hides this sensitive data when no filter is used, but fails to remove it when filtering by credential name, allowing authenticated users to steal encrypted credentials if they also access the encryption key file stored on the system.

OpenAI discovered that two employee devices were compromised by malware hidden in a TanStack npm package (a JavaScript library downloaded from an online repository) as part of a broader supply chain attack called Mini Shai-Hulud. The attackers gained limited access to internal source code repositories and exfiltrated some credentials, but OpenAI found no evidence that customer data, production systems, or intellectual property were compromised. OpenAI responded by isolating affected systems, revoking credentials, rotating code-signing certificates (the digital signatures that verify software is authentic), and working with platform providers to prevent misuse of the compromised certificates.

A vulnerability (CVE-2026-7178) was found in ChatGPTNextWeb NextChat up to version 2.16.1 that allows server-side request forgery (SSRF, where an attacker tricks a server into making unwanted requests to other systems) through the storeUrl function in the Artifacts Endpoint. The flaw can be exploited remotely, and the attack code has been made public, though the project developers have not yet responded to the early notification.

Flowise, a tool for building customized AI workflows with a drag-and-drop interface, had a security flaw in versions before 3.1.0 where a speech-generation endpoint didn't require authentication (authorization bypass, where access controls are bypassed by attackers) and could decrypt stored API keys when given a credential ID. This allowed attackers to retrieve sensitive credentials like OpenAI API keys without proper permission checks.

Flowise has a text-to-speech endpoint that doesn't require authentication but accepts a credential ID (an identifier for stored API keys like OpenAI or ElevenLabs) directly from user input. An attacker can use this to access someone else's stored API credentials and generate speech using the victim's API account, burning their API credits without permission.

A Paperclip-managed `codex_local` runtime (a local code execution environment) could access and use a Gmail connector that was only connected in the ChatGPT/OpenAI apps UI, not explicitly set up in Paperclip itself. This trust-boundary failure (a security gap between two systems that should be isolated) allowed the runtime to read emails and send real emails from the user's Gmail account without permission. The vulnerability was made worse because `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, meaning approval checks and execution restrictions are disabled by default.

A vulnerability in OpenAI Codex CLI v0.23.0 and earlier allows attackers to execute arbitrary code by creating malicious configuration files (.env and .codex/config.toml) in a repository. When a user runs the codex command in a compromised repository, the tool automatically loads these files without asking for permission, triggering the attacker's embedded commands.

OpenAI discovered that Axios, a third-party developer library (a pre-written code package used to build software), was compromised in a software supply chain attack (where attackers infiltrate widely-used tools to affect many companies at once) on March 31, 2026, and their macOS app-signing process briefly used a malicious version. OpenAI found no evidence that user data or systems were compromised, but is revoking and updating their security certificates (digital credentials that verify software is authentic) and requiring all macOS users to update their OpenAI apps to prevent the risk of fake apps appearing legitimate. As of May 8, 2026, older versions of ChatGPT Desktop (before 1.2026.051), Codex App (before 26.406.40811), Codex CLI (before 0.119.0), and Atlas (before 1.2026.84.2) will no longer receive updates and may stop working.

PraisonAI versions before 4.5.128 have a security flaw in their /media-stream WebSocket endpoint (a connection protocol for real-time communication) that allows anyone to connect without proving who they are or validating they're authorized. When attackers connect, the server automatically opens a session to OpenAI's API using its own credentials, and since there are no limits on how many connections or messages are allowed, an attacker can drain the server's resources and use up the victim's OpenAI API credits.

A prompt injection vulnerability (a technique where attackers hide malicious instructions in their input to trick an AI) exists in the 1millionbot Millie chatbot, allowing users to bypass safety restrictions using Boolean logic tricks (phrasing questions to trigger 'true' responses that activate hidden commands). This could let attackers extract sensitive information, misuse the service, or access restricted features that the chatbot was designed to block.