AI Security Dashboard
Curated vulnerabilities, advisories, and breaches affecting AI/ML systems.
Get the weekly digest
Top AI security stories every Monday. Free, no spam. Want it daily? See Daily Briefing.
CVE-2024-58351: Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig opti
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction AP...
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`...
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victi...
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
## Advisory / Disclosure # Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives **Target:** Jovancoding/Network-AI (npm `network-ai`), **latest v5.7.1** **S...
CVE-2026-12048: Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relati...
CVE-2026-12045: Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that th
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin us...
CVE-2026-54130: Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information ove
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-49257: mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 w...
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
Untrusted prompt input could reach the Gemini CLI @file parser, allowing read/exfiltration of arbitrary local files (@/etc/passwd, @~/.ssh/id_rsa, @../../secret). On Windows, unquoted cmd.exe metachar...
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
# praisonai-platform: default JWT signing secret `dev-secret-change-me` **Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research **Target:** https://github.co...
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation
## Summary The `multiedit` tool in `src/praisonai/praisonai/tools/multiedit.py` allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected...
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
## Summary The published npm package `praisonai` exports a TypeScript `MCPServer` that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with: ```ts await server.start({ port:...
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
## Summary The published npm package `praisonai` ships a TypeScript `AgentOS` HTTP server that defaults to `host: "0.0.0.0"` and registers sensitive agent routes without any authentication or authori...
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
## Summary The `codeMode` tool in `src/praisonai-ts/src/tools/builtins/code-mode.ts` uses `new Function()` with a `with(sandbox)` pattern to execute LLM-generated code. The blocklist-based "sandbox"...
npm PraisonAI codeMode sandbox escape via Function constructor
## Summary The published npm package `praisonai` exports a TypeScript built-in tool named `codeMode`. The package describes this tool as executing code in a sandboxed environment, marks its capabilit...
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
# Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands ## Summary PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host...
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
# AgentOS remains unauthenticated after GHSA-pm96 patched version and allows remote agent invocation ## Summary PraisonAI's `AgentOS` FastAPI deployment surface remains unauthenticated in current ma...
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
# PraisonAI `AgentTeam.launch()` exposes unauthenticated remote agent invocation endpoints ## Summary PraisonAI's documented Python `AgentTeam.launch()` / `Agents.launch()` HTTP server starts extern...
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
# praisonai: Jobs API exposes agent-execution endpoints with no authentication **Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research **Target:** https://g...
praisonai: recipe serve auth middleware silently disables itself when no secret is set
# praisonai: `recipe serve` authentication middleware silently disables itself when no secret is set **Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research...
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
# Unauthenticated Remote Code Execution via Jobs API and Approval Bypass in PraisonAI ## Summary An unauthenticated attacker can execute arbitrary OS commands on any server running the PraisonAI J...
CVE-2026-48814: Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows un
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. T...
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaust...
CVE-2026-55743: The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised sec
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileg...
CVE-2026-48797: Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, th
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication...