VulnWatch VulnWatch
← All articles
Weekly digest · May 11, 2026

VulnWatch Weekly: Agentic RCE Surge & LiteLLM Exploitation

Critical RCEs plague agent platforms like FastGPT and PraisonAI. LiteLLM SQLi is actively exploited. Supply chain risks rise with PyTorch Lightning compromise.

Prompt Injection Supply Chain Remote Code Execution Data Leakage Auth Bypass SSRF API Abuse Agentic / MCP

Week in Review

The week of May 4-10, 2026, marked a significant escalation in threats targeting the AI orchestration layer, shifting focus from model weights to agent execution environments. The dominant theme is the prevalence of Remote Code Execution (RCE) vulnerabilities within agentic platforms, driven by insecure sandboxing and tool invocation logic. The single most urgent item is CVE-2026-42208 in LiteLLM, which is confirmed as actively exploited in the wild, posing an immediate risk to proxy deployments managing LLM credentials. Security teams must prioritize patching agent frameworks and auditing supply chain dependencies, as evidenced by the critical compromise of PyTorch Lightning packages.

Top Items of the Week

The following vulnerabilities represent the highest immediate risk to AI infrastructure. Prioritize remediation based on exploitability and exposure.

  1. CVE-2026-42208 (LiteLLM SQL Injection)

    • Severity: High (9.3) | Status: KNOWN EXPLOITED
    • Affected Component: LiteLLM Proxy Server
    • Impact: Allows attackers to read and modify proxy database data, leading to unauthorized access to managed LLM credentials and proxy configuration.
    • Action: Upgrade to the latest patched version immediately. Rotate all API keys stored within the proxy. Audit database logs for suspicious queries.
    • Source

  2. CVE-2026-41512 (ai-scanner RCE)

    • Severity: Critical (9.9)
    • Affected Component: ai-scanner (NVIDIA garak wrapper)
    • Impact: Remote Code Execution via JavaScript injection in the Playwright service allows full server compromise during model safety scanning.
    • Action: Upgrade to version 1.4.1 or later. Isolate scanning services in ephemeral containers with no network egress.
    • Source

  3. CVE-2026-42302 (FastGPT Agent Sandbox RCE)

    • Severity: Critical (9.8)
    • Affected Component: FastGPT Agent Sandbox
    • Impact: Unauthenticated RCE due to code-server initializing with --auth none on all interfaces, granting full control over the sandbox environment.
    • Action: Upgrade to version 4.14.13. Ensure sandbox services are not exposed to public networks and enforce authentication on all development tools.
    • Source

  4. GHSA-w37p-236h-pfx3 (PyTorch Lightning Supply Chain)

    • Severity: Critical (Supply Chain)
    • Affected Component: PyTorch Lightning PyPI Package
    • Impact: Compromised package versions include malicious code consistent with credential harvesting mechanisms.
    • Action: Audit all requirements.txt and lockfiles for PyTorch Lightning versions. Rebuild artifacts from known good sources. Rotate credentials on affected build systems.
    • Source

  5. GHSA-5c57-rqjx-35g2 (Cline Kanban WebSocket Hijacking)

    • Severity: Critical (9.6)
    • Affected Component: Cline CLI Kanban Server
    • Impact: Cross-Origin WebSocket Hijacking allows websites to leak workspace data, inject prompts, and execute remote code via the agent terminal.
    • Action: Update the cline CLI. Block WebSocket connections to localhost ports from untrusted browser contexts via browser policies.
    • Source

  6. CVE-2026-33324 (SQLBot Prompt Injection)

    • Severity: Critical (9.4)
    • Affected Component: SQLBot Text-to-SQL Interface
    • Impact: Prompt injection allows attackers to manipulate the LLM into generating and executing arbitrary SQL statements against the backend database.
    • Action: Upgrade to version 1.7.1+. Implement strict output validation on generated SQL queries before execution.
    • Source

  7. GHSA-x8qc-fggm-mpqg (Ollama GGUF Heap OOB)

    • Severity: High (9.1)
    • Affected Component: Ollama Model Loader
    • Impact: Heap out-of-bounds read during GGUF quantization can leak environment variables, API keys, and conversation data.
    • Action: Upgrade Ollama to version 0.17.1 or later. Validate model files before loading into production environments.
    • Source

  8. GHSA-9whx-c884-c68q (Langflow Path Traversal)

    • Severity: Critical (9.6)
    • Affected Component: Langflow Knowledge Bases API
    • Impact: Authenticated attackers can delete arbitrary directories on the server filesystem via unsanitized knowledge base names.
    • Action: Upgrade Langflow. Restrict API access to trusted internal networks only.
    • Source

  9. CVE-2026-42076 (Evolver Command Injection)

    • Severity: Critical (9.8)
    • Affected Component: Evolver Self-Evolving Engine
    • Impact: Command injection in _extractLLM() allows arbitrary shell command execution via unsanitized corpus parameters.
    • Action: Upgrade to version 1.69.3. Review all external inputs passed to shell execution functions.
    • Source

  10. GHSA-cx4m-2p55-rw7j (Apache OpenNLP RCE)

    • Severity: Critical (9.8)
    • Affected Component: Apache OpenNLP ExtensionLoader
    • Impact: Arbitrary Class Instantiation via Model Manifest allows attackers to load and execute malicious classes.
    • Action: Upgrade to version 2.5.9 or 3.0.0-M3. Validate model archives before deployment.
    • Source

The Agentic Explosion: RCE in Orchestration Layers

This week's vulnerability landscape underscores a critical trend: as organizations adopt agentic workflows, the attack surface expands from the model itself to the orchestration logic surrounding it. We observed a cluster of Critical severity RCE vulnerabilities in platforms designed to build and manage AI agents, including FastGPT, Evolver, and PraisonAI. These vulnerabilities often stem from a fundamental misunderstanding of trust boundaries within agent sandboxes.

For instance, FastGPT's agent-sandbox component (CVE-2026-42302) initialized code-server with authentication disabled (--auth none) and bound it to all network interfaces. This configuration effectively hands over the keys to the kingdom to any network actor who can reach the port. Similarly, Evolver (CVE-2026-42076) suffered from command injection via string concatenation in shell commands, a classic vulnerability type that has found new life in AI engineering pipelines where dynamic code generation is common. PraisonAI (CVE-2026-44336) exposed similar risks through its Model Context Protocol (MCP) server, where file-handling tools accepted unchecked paths.

The implication for security engineers is clear: agent orchestration layers must be treated with the same rigor as public-facing web applications. Sandboxes are not secure by default. The assumption that an agent running “locally” or within a “container” is safe is dangerous when network bindings and authentication flags are misconfigured. We recommend enforcing strict network segmentation for all agent execution environments and disabling any development tools (like code-server) in production configurations.

Model Supply Chain Integrity Under Fire

Supply chain security took a significant hit this week with the confirmation of a compromise in the PyTorch Lightning PyPI package (GHSA-w37p-236h-pfx3). Lightning AI identified malicious code in certain released versions consistent with credential harvesting. This incident highlights the fragility of the open-source AI ecosystem, where a single compromised dependency can cascade through thousands of downstream projects.

Additionally, we saw vulnerabilities in model loading mechanisms that could facilitate supply chain attacks. Ollama's heap out-of-bounds read (GHSA-x8qc-fggm-mpqg / CVE-2026-7482) in the GGUF model loader allows attackers to leak memory contents, including API keys, by uploading malicious model files. Keras (GHSA-mgx6-5cf9-rr43) is vulnerable to a Denial of Service via “shape bombs” in HDF5 weight files, where declared tensor shapes exceed actual file lengths, causing petabyte allocation attempts.

Diffusers also released patches for a trust_remote_code bypass (GHSA-j7w6-vpvq-j3gm / GHSA-98h9-4798-4q5v), allowing arbitrary code execution despite security flags. These issues collectively suggest that model artifacts themselves are becoming viable attack vectors. ML platform teams must implement integrity verification for all model weights and dependencies. Use lockfiles, verify checksums, and consider running model loading processes in isolated environments with restricted system calls.

The Model Context Protocol (MCP) Security Gap

The Model Context Protocol (MCP) is rapidly becoming a standard for connecting AI assistants to external tools, but this week's data reveals it is also becoming a standard vector for attacks. Multiple MCP servers, including n8n-MCP, rmcp, and PraisonAI, shipped with severe security flaws.

n8n-MCP (CVE-2026-42449 / CVE-2026-44694) had SSRF vulnerabilities where IPv6 validation was missing, allowing attackers to bypass cloud metadata protections. The rmcp crate (GHSA-89vp-x53w-74fx) suffered from DNS rebinding vulnerabilities due to missing Host header validation, violating the MCP specification's own security guidance. PraisonAI's MCP server allowed path traversal via tool arguments.

The root cause across these entries is a lack of input validation on tool arguments and transport layer security. Because MCP servers often run with high privileges to access local files or APIs, compromising an MCP server often equates to compromising the host. Developers integrating MCP must validate all tool inputs, enforce strict allowlists for accessible resources, and ensure transport layers validate host headers to prevent rebinding attacks.

Platform Privilege Escalation & Data Leakage

Beyond RCE, we observed a wave of authentication bypasses and data leakage issues in popular AI platforms like Open WebUI, Dify, and Langflow. Open WebUI was particularly affected, with multiple advisories covering Redis cache poisoning (GHSA-3x8w-4f7p-xxc2), knowledge base destruction (GHSA-7r82-qhg4-6wvj), and model routing bypasses (GHSA-9vvh-qmjx-p4q8). These vulnerabilities allow authenticated users to escalate privileges, access other tenants' data, or poison RAG contexts.

Dify (CVE-2026-41950) allowed authenticated users to read files uploaded by others within the same tenant by manipulating file UUIDs. Langflow (GHSA-9whx-c884-c68q) allowed directory deletion. These issues stem from insufficient multi-tenant isolation and access control checks on object identifiers. For CISOs, this reinforces the need for regular access control audits. Just because a user is authenticated does not mean they should have access to every object ID they can guess. Implement indirect reference maps and enforce ownership checks at the database query level.

Prompt Injection Evolving into SQLi

Prompt injection is no longer just about making the model say something rude; it is now a vector for database compromise. CVE-2026-33324 in SQLBot demonstrated how user-provided questions could be concatenated directly into LLM prompts, manipulating the model into generating arbitrary SQL statements that are then executed without validation. This is a classic indirect prompt injection leading to SQLi.

Coupled with the actively exploited LiteLLM SQL injection (CVE-2026-42208), the message is clear: never trust LLM output that interacts with sensitive systems. All SQL generated by an LLM must be parsed, validated against a schema, and executed with least-privilege database credentials. Read-only connections should be the default for any RAG or Text-to-SQL system.

What to Do This Week

  1. Patch LiteLLM Immediately: Given the active exploitation of CVE-2026-42208, this is your top priority. Rotate all proxy credentials.
  2. Audit Agent Sandboxes: Review configurations for FastGPT, Evolver, and PraisonAI. Ensure no development tools (code-server, debug ports) are exposed to networks.
  3. Verify Supply Chain: Scan your Python environments for compromised PyTorch Lightning versions. Validate checksums for all Ollama and Keras model files.
  4. ** Harden MCP Servers:** If you run MCP servers, update to the latest versions and restrict network access to localhost or trusted internal subnets only.
  5. Review Access Controls: Audit Open WebUI and Dify instances for multi-tenant isolation. Ensure users cannot access objects belonging to other workspaces.

What to Watch Next Week

Expect further disclosures regarding MCP security as adoption grows. We anticipate more research into “confused deputy” attacks where AI agents are tricked into accessing resources they have permission for but shouldn't. Additionally, monitor supply chain channels for any fallout from the PyTorch Lightning incident, as attackers may pivot to similar high-value ML libraries. Security teams should prepare for increased scanning activity targeting unpatched agent orchestration platforms.

Covered entries (99)