Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ai-security (12 articles)Clear

Fake AI agent skill slips past every scanner to reach 26,000 agents

Security firm AIR showed how easily AI agent skills can be weaponized by building a benign-looking design skill, publishing it to marketplaces, and promoting it with an Instagram ad until it reached roughly 26,000 agents, including some on corporate accounts. Every skill-scanning tool they tested, including offerings from Cisco and Nvidia, marked it safe. The trick is that the skill itself stays clean but tells the agent to fetch instructions from an external page the attacker controls, which passes review while pointing at harmless content and can be swapped for a malicious install script later. Skills load into an agent with the same authority as a user's prompt.

Check
Inventory which AI agent skills your team has installed, especially any that instruct agents to fetch instructions or scripts from external URLs, and review what local access those agents have.
Affected
Teams using AI agents that install third-party skills, particularly skills that pull instructions from external sites; a one-time safety scan cannot catch content that changes after review.
Fix
Restrict agents to vetted skills from trusted sources, distrust skills that fetch external instructions, monitor agent access to privileged local resources, and never rely on a single scan to judge safety.

DifyTap flaws let attackers read other tenants' AI chats on Dify

Zafran Security disclosed four vulnerabilities, collectively named DifyTap, in Dify, a popular open-source platform for building AI agents and workflows. Two are critical, two need no authentication, and three allow cross-tenant access on Dify's multi-tenant cloud, meaning one customer could quietly read another's private AI conversations and model responses, a covert exfiltration channel. The flaws include an authorization bypass that exposes any application's trace data (CVE-2026-41947), a path traversal into the internal Plugin Daemon API (CVE-2026-41948), and a file-preview authorization bypass (CVE-2026-41949). Most were fixed in Dify 1.14.2, but the path-traversal flaw remains unpatched pending the next release.

Check
Determine whether your organization uses Dify, self-hosted or on its cloud, identify the running version, and review whether AI conversations or application data could have been accessed across tenant or user boundaries.
Affected
Dify deployments before version 1.14.2 (CVE-2026-41947, CVE-2026-41949) and all versions for the still-unpatched path traversal (CVE-2026-41948); multi-tenant and cloud setups face cross-tenant AI-chat exposure.
Fix
Update Dify to 1.14.2 or later now, watch for the forthcoming fix for the path-traversal flaw, restrict access to Dify's internal Plugin Daemon, and avoid putting sensitive data in shared multi-tenant instances.

Google Vertex AI SDK flaw let attackers hijack model uploads across tenants

Palo Alto's Unit 42 disclosed a flaw, nicknamed Pickle in the Middle, in Google Cloud's Vertex AI SDK for Python that let an attacker with no access to a victim's project hijack their machine-learning model uploads and run code across tenant boundaries. When a model was uploaded without a custom staging bucket, the SDK generated a predictable storage bucket name from the project ID and region and failed to verify ownership, so an attacker could pre-create that bucket, receive the victim's model, and swap in a malicious one that executes on deployment. Google fully fixed it in SDK version 1.148.0 in April; Unit 42 saw no exploitation in the wild.

Check
Check the google-cloud-aiplatform SDK version everywhere it runs, including notebooks, CI jobs, and training pipelines, and confirm whether model uploads relied on default, auto-generated staging buckets.
Affected
Google Cloud Vertex AI users on google-cloud-aiplatform SDK versions before 1.148.0 who uploaded models without specifying their own staging bucket; no CVE was assigned and no exploitation was observed.
Fix
Update the Vertex AI SDK to 1.148.0 or later so bucket-ownership checks are active, and always set an explicit staging bucket pointing to Cloud Storage you control when uploading models.

One-click Microsoft 365 Copilot flaw could silently steal emails and codes

Researchers at Varonis disclosed SearchLeak, a flaw chain in Microsoft 365 Copilot Enterprise Search that let a single click on a legitimate microsoft.com link silently pull a victim's emails, calendar, and indexed files, including security and MFA codes, with no password or further interaction. It worked by smuggling instructions into the search URL's query parameter, which Copilot obeyed as commands, then exfiltrating the data through a Bing image request that bypassed content protections. Because the link used a real Microsoft domain, anti-phishing filters were unlikely to flag it. Microsoft assigned CVE-2026-42824, rated it critical, and fixed it on its backend, so no customer action is required.

Check
No patching is needed since Microsoft fixed this server-side; instead review what data Microsoft 365 Copilot can access and whether broad permissions would amplify a similar AI-assistant flaw.
Affected
Microsoft 365 Copilot Enterprise Search users were exposed (CVE-2026-42824) before Microsoft's server-side fix; the broader risk is any AI assistant that mixes untrusted input with access to internal data.
Fix
No customer action is required, as Microsoft has remediated the flaw. To reduce future AI-assistant risk, tighten Copilot data permissions, apply least privilege to identities, and monitor assistant activity.

Instagram AI recovery flaw let attackers hijack 20,000 accounts

Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.

Check
Confirm two-factor authentication is enabled on your Instagram and other Meta accounts, and review login activity and linked email addresses for unauthorized changes since mid-April.
Affected
Instagram accounts (about 20,225 confirmed), particularly high-value or verified accounts without two-factor authentication, that could be reset through the flawed High Touch Support recovery tool.
Fix
Turn on two-factor authentication, review and remove unrecognized linked emails and active sessions, and reset your password. Meta has secured affected accounts and is patching the recovery flow.

AI agent finds 21 FFmpeg zero-days, public exploit code released

A security startup's autonomous AI agent scanned FFmpeg, the open-source media library built into countless video and audio tools, and turned up 21 previously unknown bugs, each with working proof-of-concept code that crashes or corrupts memory when the software processes a malicious media file. Several flaws are 15 to 20 years old; one dates back to 2003. Nine already carry CVE numbers (CVE-2026-39210 through CVE-2026-39218), and the rest are fixed but not yet numbered. The whole run cost about $1,000. Because FFmpeg sits inside browsers, media servers, and apps everywhere, any product that decodes untrusted video could be at risk.

Check
Inventory software and services that bundle FFmpeg or libav, especially media servers and transcoding pipelines that decode untrusted, user-supplied video or audio files.
Affected
FFmpeg builds containing the affected parsers and demuxers (TS, VP9, DASH, and others). Nine flaws tracked as CVE-2026-39210 through CVE-2026-39218; remaining bugs fixed but unnumbered.
Fix
Apply upstream fixes by updating to the newest official FFmpeg build; distributions are shipping patches now. Rebuild any app that statically bundles FFmpeg against the fixed code.

AI-assisted audit finds 4-year Zcash flaw enabling unlimited counterfeit coins

A critical flaw in Zcash's Orchard privacy pool, the system that lets people send the ZEC cryptocurrency while hiding amounts and parties, could have let an attacker mint unlimited counterfeit coins without detection. Security researcher Taylor Hornby, hired by developer Shielded Labs to probe the code, found it on May 29 using Anthropic's Claude Opus 4.8 model paired with a custom auditing tool, and wrote a working exploit within a day. The bug had survived four years and multiple expert reviews. An emergency fix shipped by June 1. Because the pool hides balances, there is no way to prove whether anyone exploited it earlier.

Check
If you run a Zcash node, operate an exchange listing ZEC, or hold funds in the Orchard shielded pool, confirm your software version against the June 2026 emergency release.
Affected
Zcash Orchard shielded pool, active since May 2022. Node operators, exchanges, and wallets running pre-fix software exposed to undetectable double-spend and counterfeiting of ZEC.
Fix
Upgrade to the emergency-patched Zcash node release published by June 1, 2026, and follow Shielded Labs guidance on the proposed network upgrade adding supply-accounting checks.

Anthropic confirms public Mythos rollout in 'coming weeks' - claimed more powerful than Opus 4.8, guardrails developed during preview

Anthropic has confirmed it will roll out Claude Mythos-class models to the general public in the coming weeks. Mythos was originally announced in April as a restricted preview available only to select security researchers and partners; Anthropic cited significant security risks if released too broadly. The company now says it has developed sufficient guardrails. Anthropic frames the trade-off as compressing the attacker advantage: 'in the short term, this could be attackers, if frontier labs aren't careful... in the long term, defenders will more efficiently direct resources and use these models to fix bugs.' Pricing and tier availability are not yet disclosed.

Check
Update internal AI-tool governance policies to cover Mythos-class capability tier. Identify which teams (security research, code audit, IR) would benefit from access once it ships.
Affected
Organizations with patch SLAs measured in weeks. Mythos-class models may surface unpatched flaws at attacker-tool speed; defenders need to compress SLAs to keep pace.
Fix
Tighten patch cycles on internet-facing services. Enroll qualifying security researchers in Anthropic's Cyber Verification Program. Draft internal disclosure policy before broad enablement.

Anthropic preparing to roll Claude Mythos into Claude Code and Claude Security - 'claude-mythos-1-preview' toggle briefly appeared publicly

Anthropic appears to be preparing the public rollout of Claude Mythos - the restricted security-focused frontier model that uncovered 10,000 high or critical vulnerabilities in its first month under Project Glasswing. References to 'claude-mythos-1-preview' have briefly appeared in the public Claude Code and Claude Security products, with at least one user reportedly seeing a toggle to enable Mythos before it was pulled. Anthropic originally announced Mythos in early preview on April 7 and held back the public release pending guardrails, warning the model 'can automatically develop functional cyberattacks at a highly professional level.' Pricing and tier availability are not yet disclosed.

Check
If you use Claude Code or Claude Security, watch for the Mythos toggle to appear. Review your Claude Max/Pro/Team subscription tier and any organizational data-handling policies for AI-coding tools.
Affected
Any organization using Claude Code or Claude Security where users may surface critical-severity flaws in supplier or open-source code that have not yet been responsibly disclosed.
Fix
Define an internal disclosure policy for Mythos findings before enabling broadly. Coordinate with the Anthropic Cyber Verification Program. Pair Mythos usage with patch-cycle compression on internet-facing services.

Anthropic Project Glasswing reveals 1,094 confirmed high/critical flaws and WolfSSL CVE-2026-5194 (CVSS 9.1) in first month with Apple, AWS, Microsoft, Google partners

Anthropic has named the program behind its Claude Mythos Preview model 'Project Glasswing' and disclosed the first-month results. Working with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, the program flagged 6,202 high or critical vulnerability candidates across 1,000+ open-source projects; 1,726 were validated by human reviewers and 1,094 confirmed as genuine high or critical severity. A WolfSSL certificate-forgery flaw (CVE-2026-5194, CVSS 9.1) is the named-and-shamed example. 97 upstream patches and 88 security advisories have landed. Anthropic itself warns that finding flaws is far easier than fixing them.

Check
Audit your dependency manifest for WolfSSL across all projects and check the version (CVE-2026-5194 fix). Map your overall SBOM coverage of the 1,000+ open-source projects on Glasswing's scope.
Affected
Software relying on WolfSSL for certificate validation (IoT, network equipment, industrial systems). Broader: any defender whose patch SLAs are slower than AI-assisted vulnerability discovery rates.
Fix
Patch WolfSSL to the version fixing CVE-2026-5194. Compress patch SLAs on internet-facing services. Monitor Glasswing's public advisories for additional CVEs landing across the next 30-60 days.