VulnWatch VulnWatch
← All articles
Weekly digest · May 18, 2026

VulnWatch Weekly: MCP Security Crisis & Model Loading RCE Surge

This week exposes critical risks in Model Context Protocol implementations, unsafe model deserialization in PyTorch/Diffusers, and agentic RCE chains. Immediate patching required for SOCFortress, ART, and Open WebUI.

Prompt Injection Remote Code Execution Data Leakage Auth Bypass SSRF API Abuse Agentic / MCP

Week in Review

The week of May 11-17, 2026, marks a turning point in AI infrastructure security, characterized by a cascade of critical vulnerabilities in the emerging Model Context Protocol (MCP) ecosystem and foundational machine learning libraries. The dominant theme is the fragility of agentic architectures; as systems grant LLMs greater autonomy to interact with tools and files, the attack surface expands exponentially. The single most urgent item is CVE-2026-42869 in SOCFortress CoPilot, where a hardcoded JWT secret allows unauthenticated attackers to forge admin tokens and seize control of security operations centers. However, the broader implication is systemic: from insecure deserialization in the Adversarial Robustness Toolbox to path traversal in Langflow, the supply chain supporting AI development is under siege. While no items are currently flagged as known-exploited in the wild, the severity scores (multiple 10.0 and 9.8 CVSS) suggest that exploitation is trivial and likely imminent.

Top Items of the Week

The following vulnerabilities represent the highest immediate risk to AI platform integrity. Security teams should prioritize these patches above all else.

  1. CVE-2026-42869 (SOCFortress CoPilot)
    Severity: Critical (10.0)
    Component: Authentication Backend
    Impact: Hardcoded JWT signing secret allows full admin takeover.
    Action: Upgrade to version 0.1.57 immediately and rotate all JWT secrets.
    Source

  2. CVE-2026-31229 (Adversarial Robustness Toolbox)
    Severity: Critical (9.8)
    Component: Kubeflow Model Loading
    Impact: Insecure deserialization via torch.load() enables RCE.
    Action: Patch to version 1.20.1+ and enforce weights_only=True.
    Source

  3. CVE-2026-43992 (JunoClaw)
    Severity: Critical (9.8)
    Component: MCP Write Tools
    Impact: BIP-39 seed exposure in tool-call JSON logs.
    Action: Upgrade to 0.x.y-security-1 and audit logs for leaked mnemonics.
    Source

  4. GHSA-72w5-pf8h-xfp4 (DeepSeek TUI)
    Severity: Critical (9.6)
    Component: Task Create Tool
    Impact: Sub-agents inherit unrestricted shell access via prompt injection.
    Action: Disable allow_shell defaults and require explicit approval for sub-agents.
    Source

  5. CVE-2026-44827 (Diffusers)
    Severity: High (8.8)
    Component: Pipeline Loading
    Impact: Remote code execution via None.py custom pipeline bypass.
    Action: Upgrade to version 0.38.0 and audit Hugging Face Hub dependencies.
    Source

  6. CVE-2026-45401 (Open WebUI)
    Severity: High (8.5)
    Component: Retrieval Web Utils
    Impact: SSRF bypass via HTTP redirect to internal metadata services.
    Action: Patch to 0.9.5 and implement strict redirect validation.
    Source

  7. CVE-2026-44484 (PyTorch Lightning)
    Severity: Critical (9.3)
    Component: Credential Handling
    Impact: Credential harvesting mechanism introduced in versions 2.6.2.
    Action: Downgrade or patch immediately; rotate all exposed credentials.
    Source

  8. CVE-2026-45033 (GitHub Copilot CLI)
    Severity: High (8.5)
    Component: Git Operations
    Impact: Arbitrary code execution via malicious bare git repository.
    Action: Update to 1.0.43 and scan project directories for untrusted repos.
    Source

  9. GHSA-vw82-7fv8-r6gp (Obot)
    Severity: Critical (9.6)
    Component: MCP Gateway
    Impact: Authorization bypass allows any user to access restricted MCP servers.
    Action: Patch gateway and review Access Control Rules for MCP IDs.
    Source

  10. CVE-2026-42048 (Langflow)
    Severity: Critical (9.6)
    Component: Knowledge Bases API
    Impact: Path traversal allows deletion of arbitrary server directories.
    Action: Upgrade to 1.9.0 and audit filesystem permissions.
    Source

The Model Context Protocol (MCP) Security Crisis

This week's data reveals a disturbing trend: the Model Context Protocol, designed to standardize how AI agents connect to external tools, has become a primary vector for compromise. We observed a cluster of vulnerabilities across multiple MCP implementations, including JunoClaw, Obot, PraisonAI, and the Wireshark MCP server. The core issue lies in the trust boundary between the LLM agent and the MCP server. In the case of JunoClaw (CVE-2026-43992), MCP write tools accepted cryptographic mnemonics as explicit parameters, embedding secrets directly into tool-call JSON that traversed telemetry surfaces. This is a fundamental design flaw that treats sensitive authentication data as transient tool arguments.

Similarly, Obot (GHSA-vw82-7fv8-r6gp) suffered from an authorization bypass where the MCP gateway endpoint /mcp-connect/{id} failed to enforce Access Control Rules. Any authenticated user with a server ID could connect to restricted servers, effectively bypassing tenant isolation. PraisonAI (GHSA-9mqq-jqxf-grvw) compounded this risk with path traversal vulnerabilities in its MCP file-handling tools, allowing attackers to inject Python .pth files for remote code execution. These incidents underscore that MCP servers often operate with excessive privileges and insufficient input validation. Security engineers must treat MCP servers as high-risk components, enforcing strict network segmentation and ensuring that tool arguments are sanitized before reaching the underlying implementation. The prevalence of these issues suggests that the MCP specification itself may need security extensions to mandate authentication and argument validation standards.

Unsafe Model Loading & Deserialization

The foundational libraries powering AI development continue to plague the ecosystem with insecure deserialization vulnerabilities. The Adversarial Robustness Toolbox (CVE-2026-31229) uses torch.load() without the weights_only=True parameter, allowing attackers to execute arbitrary code via malicious model weights. This is a recurring pattern we have seen for years, yet it persists in critical security tooling. Diffusers (CVE-2026-44827 and CVE-2026-44513) exhibited similar behavior, where the trust_remote_code safeguard was bypassed via string interpolation errors and alternative code paths. An attacker could publish a repository containing a file named None.py to trigger execution without user consent.

PyTorch Lightning (CVE-2026-44484) introduced a credential harvesting mechanism in versions 2.6.2, highlighting the risk of supply chain compromises in deep learning frameworks. Furthermore, BentoML (GHSA-78f9-r8mh-4xm2) allowed Dockerfile command injection via environment variable interpolation, enabling host-level code execution during containerization. These vulnerabilities share a common root: the assumption that model artifacts and configuration files from external sources (like Hugging Face) are benign. ML platform teams must enforce strict integrity verification on all model artifacts, utilize sandboxed environments for model loading, and disable dynamic code execution features unless absolutely necessary. The shift towards "model as code" requires the same security rigor applied to traditional software supply chains.

Agentic RCE & Prompt Injection Chains

As AI agents gain the ability to execute commands, the line between prompt injection and remote code execution blurs. DeepSeek TUI (GHSA-72w5-pf8h-xfp4 and GHSA-wx44-2q6h-j6p8) demonstrated this vividly: the task_create tool spawned sub-agents with allow_shell defaults set to true, and the run_tests tool auto-approved cargo test execution. An attacker could inject a prompt causing the agent to compile and run malicious code without user approval. GitHub Copilot CLI (CVE-2026-45033) faced a similar risk via git configuration exploitation, where a malicious bare repository could trigger arbitrary commands through core.fsmonitor.

JunoClaw (CVE-2026-43990 and CVE-2026-43991) further exposed the fragility of command safety checks, where substring-based blocklists were bypassed via adversarial argument constructions. These vulnerabilities illustrate that "auto-approve" features in agentic workflows are inherently dangerous. Security teams should audit all agent tools for shell access capabilities and enforce human-in-the-loop approval for any operation that modifies the filesystem or executes code. Prompt injection defenses must evolve beyond input filtering to include runtime monitoring of agent actions, ensuring that the intent of the tool call matches the actual execution context.

Platform Authentication & SSRF Fatigue

Open WebUI dominated the vulnerability landscape this week with a plethora of authentication and SSRF issues. CVE-2026-45401 and GHSA-rh5x-h6pp-cjj6 revealed that the validate_url() function only checked the initial URL, allowing attackers to bypass SSRF protections via HTTP redirects to internal metadata services. Additionally, multiple IDOR and authorization bypasses (GHSA-r472-mw7m-967f, GHSA-p4fx-23fq-jfg6) allowed users to access files, modify tools, and escalate privileges across workspace boundaries. Langflow (CVE-2026-42048) and MLflow (CVE-2026-2652) also suffered from authentication bypasses where specific API routes were left unprotected despite global auth settings.

This "SSRF fatigue" indicates that URL validation logic is often implemented inconsistently across different HTTP clients within the same application. Developers must ensure that redirect policies are strict and that allowlists are re-evaluated after every hop. For platforms like Open WebUI, the sheer volume of access control bugs suggests a need for a comprehensive security audit of the permission model. CISOs should consider these platforms high-risk for data leakage and enforce network policies that restrict outbound traffic from AI application servers to known external endpoints only.

What to Do This Week

  1. Patch Critical Infrastructure: Prioritize updates for SOCFortress CoPilot, Adversarial Robustness Toolbox, and Open WebUI. These contain trivial-to-exploit authentication and RCE flaws.
  2. Audit MCP Configurations: Review all connected MCP servers. Disable any that are not strictly necessary and enforce authentication on MCP gateway endpoints.
  3. Harden Model Loading: Configure torch.load with weights_only=True across all pipelines. Block outbound traffic from model loading containers to prevent remote code fetching.
  4. Disable Auto-Approve: Revoke default shell access for AI agents. Require explicit user approval for any tool call that involves file system writes or command execution.
  5. Rotate Secrets: Given the credential harvesting risks in PyTorch Lightning and mnemonic leakage in JunoClaw, rotate API keys, database passwords, and wallet seeds associated with affected systems.
  6. Validate Redirects: Implement strict HTTP redirect policies in all retrieval components to prevent SSRF bypasses via 3xx responses.

What to Watch Next Week

Next week, we anticipate further disclosures related to the Model Context Protocol as security researchers deepen their analysis of the standard's reference implementations. Expect to see more vulnerabilities surrounding tool argument injection and cross-tenant data leakage in multi-tenant MCP registries. Additionally, monitor for supply chain attacks targeting AI dependency managers like Microsoft APM, as the ecosystem matures and becomes a more attractive target for persistent threat actors. The convergence of agentic workflows and traditional web vulnerabilities suggests that classic web security testing methodologies will remain highly effective in uncovering AI-specific risks.

Covered entries (102)