Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-42249 | Ollama: path traversal + unsigned update = silent RCE | ollama | 9.8 |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | - |
| UNKNOWN | CVE-2026-42234 | n8n: Python sandbox escape enables container RCE | n8n | - |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |
| MEDIUM | CVE-2026-4502 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| HIGH | CVE-2026-6543 | Langflow: RCE exposes API keys and DB credentials | langflow | 8.8 |
| MEDIUM | CVE-2026-7669 | SGLang: deserialization in tokenizer loader enables RCE | sglang | 5.6 |
| HIGH | GHSA-wppj-c6mr-83jj | openclaw: TOCTOU sandbox escape via symlink swap | openclaw | - |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | - |
| LOW | CVE-2026-7845 | Langchain-Chatchat: weak image hash allows integrity bypass | langchain-chatchat | 2.6 |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |
| HIGH | GHSA-r39h-4c2p-3jxp | OpenClaw: RCE via malicious repo setup-api.js | openclaw | 7.8 |
| HIGH | CVE-2026-42266 | JupyterLab: Extension allow-list bypass enables privesc | jupyterlab | 8.8 |
| MEDIUM | CVE-2026-43901 | wireshark-mcp: path traversal enables arbitrary file write via MCP | 6.8 | |
| HIGH | CVE-2026-33079 | mistune: ReDoS exposes Jupyter/AI services to DoS | mistune | 7.5 |
| HIGH | CVE-2026-44334 | praisonai: RCE via unpatched tool_override exec_module | praisonai | 8.4 |
| HIGH | CVE-2026-44244 | GitPython: git config injection enables hook RCE | GitPython | 7.8 |
| HIGH | CVE-2026-42557 | JupyterLab: one-click RCE via notebook HTML cell output | notebook | 8.8 |
| HIGH | GHSA-j7w6-vpvq-j3gm | diffusers: silent RCE via None.py trust_remote_code bypass | diffusers | 8.8 |
| CRITICAL | CVE-2025-14931 | smolagents: RCE via pickle deserialization in executor | smolagents | 10.0 |