Ai-Infrastructure
DuneSlide: Zero-Click Prompt Injection Chains to Full RCE in Cursor IDE (CVE-2026-50548, CVE-2026-50549)
Two critical Cursor IDE flaws, dubbed DuneSlide, let a poisoned MCP response or web search result steer the agent's own sandbox into overwriting its enforcement binary — zero-click prompt injection to unsandboxed remote code execution, patched in Cursor 3.0.
GuardFall: Decades-Old Bash Quoting Tricks Defeat Safety Guards in 10 of 11 Open-Source AI Coding Agents
Adversa AI's GuardFall research shows that quote removal, $IFS spacing, command substitution, and other decades-old shell tricks bypass the command guards in opencode, Goose, Cline, Aider, and seven other open-source AI coding agents — turning a poisoned README into silent credential theft.
SSRF to the Model, Model to the Cloud: The Inference Layer Is 2026's Softest Attack Surface
Model gateways and inference servers are repeating two decades of solved web-security mistakes — default-open binds, pickle RCE, pre-auth SQLi, and SSRF straight into cloud credentials. A field guide to the AI control plane's softest links and how to harden them before the next 36-hour exploitation window.
BadHost (CVE-2026-48710): A Forged Host Header Walks Past Auth in Every Starlette App
BadHost (CVE-2026-48710) is a Host-header authentication bypass in Starlette before 1.0.1. One malformed header makes request.url.path lie to your middleware — unlocking protected routes on FastAPI, vLLM, LiteLLM, and MCP servers without credentials.
Ollama CVE-2026-7482 'Bleeding Llama': Heap OOB Read in GGUF Loader Leaks Server Memory to Unauthenticated Attackers
A heap out-of-bounds read in Ollama's GGUF model loader (CVE-2026-7482, CVSS 9.1) lets unauthenticated attackers exfiltrate server process memory — including API keys, env vars, system prompts, and other users' conversations — from an estimated 300,000+ exposed instances.
LMDeploy CVE-2026-33626: SSRF in LLM Inference Server Exploited 12 Hours After Disclosure, Honeypot Sees AWS IMDS Theft
A 7.5-severity SSRF in Shanghai AI Lab's LMDeploy LLM serving toolkit was hit in the wild within 12h31m of the GitHub advisory. Sysdig's honeypot caught an attacker using the vision-language image loader to scrape AWS instance metadata, then pivot to internal Redis and MySQL.
LMDeploy SSRF (CVE-2026-33626) Weaponized in 12 Hours to Loot GPU IAM Credentials
A Server-Side Request Forgery in LMDeploy's vision-language image loader turned LLM inference nodes into SSRF primitives for cloud metadata theft — exploited 12 hours and 31 minutes after disclosure.
Self-Hosted and Unprotected: The AI Workflow Tool Security Crisis
Langflow, Flowise, n8n, ComfyUI — every major self-hosted AI workflow tool has shipped unauthenticated RCE vulnerabilities in 2026. This isn't a coincidence. It's a structural failure baked into how these tools were designed.
Over 1,000 Exposed ComfyUI Instances Hijacked for Cryptomining and Proxy Botnet
Active campaign targets unauthenticated ComfyUI deployments across cloud providers, enlisting them into Monero mining and a Hysteria V2 proxy botnet via malicious custom nodes.
Flowise AI Under Active Exploitation: CVSS 10.0 RCE via CustomMCP Node Hits 12,000+ Exposed Instances
Critical unauthenticated RCE in Flowise AI's CustomMCP node (CVE-2025-59528, CVSS 10.0) is under active exploitation. Over 12,000 instances are exposed. Patch to 3.0.6 immediately.
Langflow's 'Patched' Version Is Still Exploitable — CVE-2026-33017 Deadline Hits April 8
JFrog confirms Langflow 1.8.2 remains vulnerable to CVE-2026-33017 unauthenticated RCE despite being widely reported as fixed. CISA KEV deadline is April 8.