Threat Intelligence
Security Advisories
Structured defensive guides for AI-agent and automation infrastructure. Written by an InfoSec engineer for security teams who need clear, actionable intelligence — not vendor noise.
Keras Archive Extraction Path Traversal
CVE-2026-11816: CWD-relative path validation in Keras's archive extraction filters allows arbitrary file writes when the process CWD is / — the default in Docker, CI/CD runners, and Jupyter kernels. An independent ZIP filter crash silently disables all traversal protection on unpatched versions.
durabletask PyPI Supply Chain Compromise
TeamPCP published three malicious versions of Microsoft's Azure Durable Functions Python SDK to PyPI via a stolen API token. The import-time dropper delivers a multi-cloud credential stealer, self-propagating worm (AWS SSM + Kubernetes exec), and geotargeted disk wiper targeting Israeli and Iranian systems.
BadHost: Starlette Host-Header Auth Bypass
Starlette before 1.0.1 reconstructed request.url from the untrusted Host header, enabling middleware bypass in FastAPI apps, MCP servers, vLLM, LiteLLM, and AI agent backends. A crafted Host header allows unauthenticated access to protected endpoints across the AI agent stack.
Claw Chain Defensive Guide
Four chainable vulnerabilities in OpenClaw AI-agent servers — TOCTOU filesystem escapes, environment-variable disclosure, and MCP loopback privilege escalation. Includes a 24-hour response checklist and long-term agent governance framework.
MCP Toolchain Vulnerabilities
OX Security disclosed critical vulnerabilities across MCP server implementations affecting 150M+ downloads. CVE-2025-65719 enables RCE via crafted HTML in kubectl-mcp-server; attackers bypass local-only protections to invoke MCP functions under victim credentials.
JunoClaw Agentic AI Toolchain
Four vulnerabilities in JunoClaw's blockchain agent platform: BIP-39 wallet seeds serialized into LLM tool-call JSON (CVSS 9.8), shell command injection via metacharacter bypass, command-safety blocklist bypass, and SSRF through the WAVS bridge's unvalidated URL fetching.
Mini Shai-Hulud: TanStack npm Supply Chain Attack
TeamPCP chained three GitHub Actions vulnerabilities — a pull_request_target Pwn Request, Actions cache poisoning, and OIDC token extraction from runner memory — to publish 84 malicious @tanstack/* packages carrying valid SLSA Build Level 3 provenance attestations. The worm self-propagated to 169 total packages and confirmed compromise of two OpenAI employee devices.
AI-Developed Zero-Day: 2FA Bypass
Google Threat Intelligence Group confirmed the first zero-day exploit developed with AI assistance — a semantic logic flaw enabling 2FA bypass on a popular open-source web administration tool. Criminal actors planned mass exploitation before responsible disclosure disrupted the campaign.
LiteLLM Proxy SQL Injection
Pre-authentication SQL injection in LiteLLM Proxy's API key verification path enables unauthenticated database reads and credential theft from the AI gateway. A single exploit yields keys for every LLM provider the proxy manages — OpenAI, Anthropic, Azure, and more.
PraisonAI Authentication Bypass
Affected versions 2.5.6–4.6.34 shipped a legacy Flask API server with authentication hard-coded off. Unauthenticated attackers could enumerate all agent metadata and freely invoke workflows via GET /agents and POST /chat — no token required.
Semantic Kernel Prompt-to-RCE
Two CVSS 9.9 vulnerabilities in Microsoft Semantic Kernel convert prompt injection into host-level remote code execution and arbitrary file write. Includes upgrade paths, a 9-step defensive checklist, and long-term agent governance guidance.
Bleeding Llama in Ollama
Unauthenticated heap out-of-bounds read in Ollama's GGUF model parser leaks process memory — user prompts, system prompts, API keys, and environment variables — with no credentials required. Estimated to affect 300,000 servers globally.
Gemini CLI TrustIssues
GHSA-wpqr-6v78-jr5g: Gemini CLI's --yolo mode bypasses tool allowlists while processing untrusted GitHub issues, enabling prompt injection to escalate from a public issue to CI secret extraction and full repository write compromise. A single crafted issue is the only entry point required.
Cursor IDE Git Hook RCE
CVE-2026-26268: Cursor IDE's AI coding agent autonomously performs Git operations — including checkouts into attacker-embedded bare repositories — triggering malicious hooks on developer workstations. Asking the agent to explain a codebase is enough to achieve arbitrary code execution.
OpenClaw Feishu Auth Bypass
CVE-2026-44109: Fail-open authentication in two Feishu webhook validation paths lets unauthenticated traffic bypass signature verification and reach OpenClaw agent command dispatch — exposing shell execution, filesystem access, Docker, and browser automation to network-accessible attackers.
0DIN AI Scanner RCE
CVE-2026-41512: JavaScript injection in 0DIN AI Scanner's PlaywrightService lets any authenticated tenant member execute arbitrary Node.js code in the Rails container — reading SECRET_KEY_BASE, PostgreSQL credentials, OAuth secrets, and all tenant data. Default deployments are trivially exploitable without prior knowledge.
Spring AI VectorStore Injection
FilterExpression metadata filters in Spring AI were not properly escaped before conversion to vector store query languages, allowing user-controlled input to alter retrieval query semantics — bypassing tenant isolation and document-level authorization in RAG pipelines.
LMDeploy Vision-Language SSRF
Unvalidated image_url fetching in LMDeploy's vision-language handler exposes cloud metadata services, internal databases, and private network topology via SSRF. Exploited in the wild within 12 hours of advisory publication.
No advisories match