Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-67mf-f936-ppxf | OpenClaw: scope misconfiguration enables unauthorized node pairing | openclaw | - |
| HIGH | CVE-2026-40113 | PraisonAI: arg injection injects env vars into Cloud Run | praisonai | 8.4 |
| MEDIUM | CVE-2026-35651 | OpenClaw: ANSI injection spoof AI agent approval prompts | openclaw | 4.3 |
| CRITICAL | GHSA-vc46-vw85-3wvm | PraisonAI: RCE via malicious workflow YAML execution | PraisonAI | 9.8 |
| HIGH | GHSA-g985-wjh9-qxxc | PraisonAI: untrusted tools.py import enables RCE | PraisonAI | 8.4 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| CRITICAL | CVE-2026-40157 | PraisonAI: path traversal allows arbitrary file write via recipe unpack | PraisonAI | - |
| HIGH | CVE-2026-40156 | PraisonAI: auto tools.py load enables local RCE | praisonai | 7.8 |
| MEDIUM | CVE-2026-40148 | PraisonAI: decompression bomb causes disk exhaustion | PraisonAI | 6.5 |
| CRITICAL | CVE-2026-40154 | PraisonAI: supply chain RCE via unverified template exec | PraisonAI | 9.3 |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | 7.4 |
| MEDIUM | CVE-2026-40190 | langsmith: prototype pollution enables auth bypass, RCE | langsmith | 5.6 |
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| CRITICAL | CVE-2025-61260 | OpenAI Codex CLI: RCE via malicious MCP config files | @openai/codex | 9.8 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| LOW | GHSA-r7w7-9xr2-qq2r | langchain-openai: SSRF DNS rebinding, blind network probe | langchain-openai | 3.1 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| CRITICAL | GHSA-9qhq-v63v-fv3j | PraisonAI: RCE via MCP command injection | praisonai | 9.8 |
| MEDIUM | CVE-2026-35603 | Claude Code: config hijack via unprotected ProgramData dir | @anthropic-ai/claude-code | - |