Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-2cq5-mf3v-mx44 | openclaw: exec approval bypass via opaque multi-call binaries | openclaw | - |
| HIGH | GHSA-939r-rj45-g2rj | openclaw: untrusted plugin auto-enabled during onboarding | openclaw | - |
| MEDIUM | GHSA-f3h5-h452-vp3j | openclaw: insufficient authz allows agent config persistence | openclaw | - |
| HIGH | GHSA-82qx-6vj7-p8m2 | openclaw: trust bypass loads untrusted workspace plugins | openclaw | - |
| MEDIUM | GHSA-53vx-pmqw-863c | openclaw: Browser SSRF exposes internal services by default | openclaw | - |
| MEDIUM | GHSA-7wv4-cc7p-jhxc | openclaw: .env injection hijacks agent runtime config | openclaw | - |
| MEDIUM | GHSA-j6c7-3h5x-99g9 | openclaw: OS command injection via shell env-argv bypass | openclaw | - |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| MEDIUM | CVE-2026-6608 | FastChat: control flow flaw corrupts arena comparison | fschat | 5.3 |
| MEDIUM | CVE-2026-39378 | nbconvert: path traversal exfiltrates files via HTML export | nbconvert | 6.5 |
| MEDIUM | CVE-2026-39377 | nbconvert: path traversal enables arbitrary file write | nbconvert | 6.5 |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | instructlab | 8.8 |
| HIGH | CVE-2026-41486 | Ray: Parquet RCE via Arrow extension deserialization | ray | - |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | @google/gemini-cli | 10.0 |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | - |
| MEDIUM | GHSA-h2vw-ph2c-jvwf | OpenClaw: env injection exposes MiniMax API key | openclaw | - |
| LOW | GHSA-c4qg-j8jg-42q5 | openclaw: SSRF in QQBot media upload bypasses validation | openclaw | - |
| MEDIUM | GHSA-mj59-h3q9-ghfh | openclaw: env var injection via MCP stdio config | openclaw | - |
| MEDIUM | GHSA-hxvm-xjvf-93f3 | openclaw: env namespace injection steers agent runtime | openclaw | - |
| CRITICAL | CVE-2026-42248 | Ollama: silent auto-update bypasses signature check on Windows | ollama | 9.8 |