4 posts tagged with "CVE"

Two sandboxes. Two AI labs. Seven months apart. Same class of failure.

On September 22, 2025, OpenAI published GHSA-w5fx-fh39-j5rw. Codex CLI versions 0.2.0 through 0.38.0 had a sandbox bypass. The cwd (current working directory) that the model suggested was being treated as the sandbox's writable root. If the model decided, through whatever chain of reasoning or injection, that it needed to work in /etc, the sandbox would dutifully mark /etc as writable.

On April 14, 2026, GHSA-cmpr-pw8g-6q6c landed. Cohere Terrarium, a Python sandbox built to run LLM-generated code, scored 9.3. Root code execution on the host, from inside the sandbox, via JavaScript prototype chain traversal.

Then there's the other thing. CERT/CC had notified Cohere on February 19, 2026, and published VU#414811 on April 21. Sixty-one days, sixteen past CERT's standard 45-day disclosure window. On the live advisory today, Cohere's vendor status is still listed as "Unknown," and under "Vendor Statement" CERT writes: "We have not received a statement from the vendor." As far as I can find in public kb.cert.org listings, this is the first published CERT/CC advisory against a major AI lab where the vendor went that long without responding.

Langflow fixed a critical RCE last year. Attackers just found the same unsandboxed exec() call on a different endpoint, and exploited it in 20 hours flat, with no public proof-of-concept code.

CVE-2026-33017 (CVSS 9.3, Critical) is an unauthenticated remote code execution vulnerability affecting all Langflow versions through 1.8.1, fixed in 1.9.0. Within 20 hours of the advisory going public on March 17, 2026, attackers built working exploits from the advisory text alone and began harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances.

The important part for anyone running AI orchestration tools: the fix for the first vulnerability (CVE-2025-3248) was structurally incapable of preventing this one, because the vulnerable endpoint is designed to be unauthenticated. This is a case study in why AI orchestration tools demand security review at the architecture level, not just the endpoint level.

Four distinct security incidents in early 2026 prove that AI assistants have become viable, weaponizable attack vectors. Researchers demonstrated zero-click data exfiltration through Excel's Copilot Agent, full system compromise via Chrome's Gemini panel, session hijacking of Microsoft Copilot Personal, and 1Password vault takeover through Perplexity's agentic browser. Each exploits the same fundamental problem: AI agents inherit broad permissions and cannot reliably distinguish legitimate instructions from attacker-controlled content. The industry data confirms the gap: 83% of organizations plan to deploy agentic AI, but only 29% feel ready to secure it.

OpenClaw, the open-source AI agent that rocketed to 179,000 GitHub stars and triggered a Mac mini shortage, is riddled with critical vulnerabilities that have already been exploited in the wild. A one-click remote code execution flaw, 341 malware-laden skills on its marketplace, over 42,000 exposed instances on the public internet, and a vibe-coded social network that leaked 1.5 million API tokens — this is not a theoretical risk. Security researchers, government agencies, and firms from Cisco to Kaspersky have called it one of the most dangerous consumer AI deployments ever released. Yet OpenClaw remains genuinely useful. The solution is not to avoid it entirely but to run it on an isolated cloud VM where its blast radius is contained. Here's every documented vulnerability, and the exact steps to deploy it safely.