AI Sec Watch

n8n-mcp versions before 2.50.1 had three security issues: unvalidated workflow IDs allowed attackers to bypass access controls and leak API keys, webhook URLs followed redirects to unintended hosts (SSRF, a type of attack where a server makes unwanted requests to other systems), and telemetry (usage data sent to developers) stored sensitive information like API keys without hiding it. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.3 and requires an authenticated attacker with access to the n8n API.

An authenticated SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to internal services) vulnerability affects n8n-mcp's webhook and API client features. An attacker with access to the system can make the n8n-mcp host send HTTP requests to internal services or cloud credential endpoints that should be blocked, allowing them to steal credentials or enumerate internal systems.

Anthropic released Mythos, an AI model that can find thousands of previously unknown software vulnerabilities (flaws in code that haven't been patched yet), which sparked concern among banks, governments, and tech companies about a new wave of AI-enabled cyberattacks. However, cybersecurity experts say this vulnerability-finding capability already exists in older, publicly available AI models from Anthropic and OpenAI, and can be achieved through orchestration (coordinating multiple tools or models to work together on a task).

Langfuse, an open source platform for managing large language models, had a role-based access control flaw (a security issue where user permissions weren't properly enforced) in versions 3.68.0 through 3.166.9 that allowed low-privileged project members to redirect API requests to attacker-controlled servers, potentially exposing sensitive API keys. The vulnerability required the attacker to already have basic access to a project as a member.

This article discusses the chaotic leadership transition at OpenAI in 2024, when Sam Altman was removed as CEO under unclear circumstances involving video calls and informal communications between current and former leadership. The situation's complexity is now being revealed through an ongoing legal dispute between Elon Musk and Altman.

Claude in Chrome, Anthropic's browser extension, has a bug called ClaudeBleed that allows malicious extensions to hijack it and trick it into performing unauthorized actions like stealing files, sending emails, or stealing code from private repositories. The vulnerability exists because the extension trusts any script from its origin (claude.ai) without checking who is actually running it, breaking Chrome's normal security model. Anthropic released a partial fix in version 1.0.70 on May 6, but researchers found the vulnerability can still be exploited by switching the extension to privileged mode.

Major tech companies like Meta and Google are racing to develop AI agents (AI tools that can perform tasks for users rather than just answer questions), following the viral success of OpenClaw earlier this year. While AI agents promise major business benefits through increased user engagement and revenue opportunities, significant security and governance challenges remain unresolved, particularly the risk of agents "doing the wrong thing" rather than just saying the wrong thing.

Model Context Protocol (MCP, a plugin system that lets AI agents connect to external tools) has become a major security blind spot because organizations aren't scanning for or monitoring MCP risks, leaving them vulnerable to attacks that exploit supply chain vulnerabilities, exposed credentials, and malicious AI tool installations. The article highlights how attackers can compromise widely-trusted MCP packages (like the postmark-mcp npm package that exfiltrated emails from 300 organizations) and how developers often hardcode sensitive credentials into AI configurations, making MCP a vehicle for old attack types (like supply chain attacks and credential theft) to cause new damage.

Penetration tests (security checks where experts try to break into systems) show that AI and large language model (LLM, advanced AI systems trained on huge amounts of text) systems have significantly more high-risk security flaws than traditional software, with 32% of AI findings rated high-risk compared to 13% for legacy systems. LLM vulnerabilities are also fixed less often, with only 38% of high-risk issues resolved, and experts attribute this to AI systems being deployed quickly without mature security controls, newer attack surfaces like prompt injection (tricking an AI by hiding instructions in its input), and unclear responsibility for fixing problems across teams.