Securityv0 — AI Execution Intelligence Monitor

Securityv0 — AI Execution Intelligence MonitorAnalysis of real AI agent and automation incidents through the execution path lens.https://securityv0.com/en-usSemantic Kernel CVEs: Unproven Execution by Defaulthttps://securityv0.com/intelligence/2026-05-10-semantic-kernel-default-tools-unproven-execution/https://securityv0.com/intelligence/2026-05-10-semantic-kernel-default-tools-unproven-execution/Microsoft disclosed two RCE flaws in Semantic Kernel where framework defaults exposed code-execution sinks to prompt-injected LLM agentsSun, 10 May 2026 00:00:00 GMTUnproven Executionsemantic-kernelmicrosoftllm-agentprompt-injectionunproven-executionasi05Azure SRE Agent: Any Tenant Could Watch Live Sessionshttps://securityv0.com/intelligence/2026-05-08-azure-sre-agent-cross-tenant-eavesdrop/https://securityv0.com/intelligence/2026-05-08-azure-sre-agent-cross-tenant-eavesdrop/CVE-2026-32173: a multi-tenant Entra ID misconfig let any Microsoft account subscribe to another customer's live Azure SRE Agent sessionFri, 08 May 2026 00:00:00 GMTSupply Chain Compromiseazureai-agentnhi-compromiseentra-idsignalrasi06OpenAI Codex: Hidden Branch Names, Stolen GitHub Tokenshttps://securityv0.com/intelligence/2026-05-04-openai-codex-branch-name-token-theft/https://securityv0.com/intelligence/2026-05-04-openai-codex-branch-name-token-theft/BeyondTrust disclosed an OpenAI Codex command injection that piped attacker-crafted branch names into git clone, exfiltrating GitHub OAuth tokensMon, 04 May 2026 00:00:00 GMTSupply Chain Compromiseopenaicodexai-coding-agentcommand-injectiongithub-oauthnhi-compromiseFlowise CSV Agent RCE: Unproven Execution Encorehttps://securityv0.com/intelligence/2026-05-03-flowise-csv-agent-rce/https://securityv0.com/intelligence/2026-05-03-flowise-csv-agent-rce/CVE-2026-41264 turns Flowise's CSV Agent into a remote Python interpreter — the same unproven_execution pattern Langflow shipped six weeks agoSun, 03 May 2026 00:00:00 GMTUnproven Executionflowisecsv-agentprompt-injectionunproven-executionasi05ai-workflowPromptMink: AI-Authored npm Commit Plants Backdoorhttps://securityv0.com/intelligence/2026-05-02-promptmink-ai-coauthored-npm-supply-chain/https://securityv0.com/intelligence/2026-05-02-promptmink-ai-coauthored-npm-supply-chain/A Claude Opus co-authored commit added a Layer-1 bait npm dependency that pulled a Famous Chollima credential-stealing payloadSat, 02 May 2026 00:00:00 GMTUnproven Executionnpmsupply-chainai-coding-agentdprkfamous-chollimatransitive-dependencyLightning PyPI Hit: Mini Shai-Hulud Reaches AI Traininghttps://securityv0.com/intelligence/2026-05-01-lightning-pypi-mini-shai-hulud/https://securityv0.com/intelligence/2026-05-01-lightning-pypi-mini-shai-hulud/Two malicious lightning PyPI releases on April 30 stole CI credentials and weaponized AI coding agent configs as a persistence vector for the campaignFri, 01 May 2026 00:00:00 GMTSupply Chain Compromisesupply-chainnhipypishai-huludai-trainingclaude-codePocketOS volumeDelete: Scope Drift via Blanket Tokenhttps://securityv0.com/intelligence/2026-04-30-pocketos-cursor-volumedelete-scope-drift/https://securityv0.com/intelligence/2026-04-30-pocketos-cursor-volumedelete-scope-drift/A Cursor agent running Claude Opus 4.6 wiped PocketOS's production database in nine seconds after foraging for a Railway token with no scope isolationThu, 30 Apr 2026 00:00:00 GMTScope Driftpocketoscursorscope-driftai-agentrailwayasi03prt-scan: pull_request_target as Unproven Executionhttps://securityv0.com/intelligence/2026-04-26-prt-scan-pull-request-target-campaign/https://securityv0.com/intelligence/2026-04-26-prt-scan-pull-request-target-campaign/Six waves of malicious PRs hijacked GitHub Actions runners whose pull_request_target workflows executed fork-supplied code with secret scopeSun, 26 Apr 2026 00:00:00 GMTUnproven Executionprt-scangithub-actionsunproven-executionsupply-chainci-cdasi05LMDeploy SSRF: The Inference NHI Was the Real Targethttps://securityv0.com/intelligence/2026-04-24-lmdeploy-ssrf-vlm-iam-exfil/https://securityv0.com/intelligence/2026-04-24-lmdeploy-ssrf-vlm-iam-exfil/A vision-language image loader in LMDeploy became an SSRF primitive, exposing GPU node IAM credentials 12 hours after CVE-2026-33626 disclosureFri, 24 Apr 2026 00:00:00 GMTSupply Chain Compromiselmdeploynhissrfvlmiamasi06MCP STDIO Defaults: Unproven Execution by Designhttps://securityv0.com/intelligence/2026-04-22-anthropic-mcp-stdio-design-flaw-rce/https://securityv0.com/intelligence/2026-04-22-anthropic-mcp-stdio-design-flaw-rce/A systemic design flaw in Anthropic's MCP SDKs lets STDIO-spawned servers execute arbitrary code in the host process the operator never authorizedWed, 22 Apr 2026 00:00:00 GMTUnproven Executionmcpanthropicunproven-executionsupply-chainllm-agentasi05Comment and Control: AI Agents Hijacked via PR Commentshttps://securityv0.com/intelligence/2026-04-22-comment-and-control-ai-agent-prompt-injection/https://securityv0.com/intelligence/2026-04-22-comment-and-control-ai-agent-prompt-injection/Three AI coding agents running in GitHub Actions can be hijacked via attacker-controlled PR and issue comments, leaking production secretsWed, 22 Apr 2026 00:00:00 GMTUnproven Executioncomment-and-controlprompt-injectiongithub-actionsclaude-codegemini-cligithub-copilotVercel Breach: The AI Agent's OAuth Token Was the Identityhttps://securityv0.com/intelligence/2026-04-20-vercel-context-ai-oauth-breach/https://securityv0.com/intelligence/2026-04-20-vercel-context-ai-oauth-breach/A Context.ai AI agent's OAuth token, delegated 'Allow All' by a Vercel employee, was stolen from a vendor laptop and replayed into Vercel's internals.Mon, 20 Apr 2026 00:00:00 GMTSupply Chain Compromisesupply-chainnhioauthai-agentvercelcontext-aiLiteLLM PyPI Attack: Every Hop Was a Machine Identityhttps://securityv0.com/intelligence/2026-03-25-litellm-pypi-supply-chain-attack/https://securityv0.com/intelligence/2026-03-25-litellm-pypi-supply-chain-attack/TeamPCP backdoored litellm on PyPI via a poisoned Trivy GitHub Action, stealing PyPI tokens and harvesting SSH keys, cloud creds, and K8s configs.Wed, 25 Mar 2026 00:00:00 GMTSupply Chain Compromisesupply-chainnhipypici-cdlitellmteampcpMeta's Internal AI Agent Posts Unsolicited Advice, Triggers Sev 1 Data Exposurehttps://securityv0.com/intelligence/2026-03-18-meta-rogue-agent-sev1-data-exposure/https://securityv0.com/intelligence/2026-03-18-meta-rogue-agent-sev1-data-exposure/An in-house AI agent at Meta autonomously published a recommendation on an internal forum, setting off a chain of events that exposed sensitive data to unauthorized employees for two hours.Wed, 18 Mar 2026 00:00:00 GMTScope Driftmetarogue-agentscope-driftdata-exposureagentic-aiinsider-riskCVE-2026-27966: Langflow's Hardcoded Python REPL Turns CSV Uploads Into RCEhttps://securityv0.com/intelligence/2026-03-09-langflow-csv-agent-rce-repl/https://securityv0.com/intelligence/2026-03-09-langflow-csv-agent-rce-repl/A hardcoded flag in Langflow's CSV Agent exposed a Python execution tool to prompt injection, granting attackers full server access.Mon, 09 Mar 2026 00:00:00 GMTUnproven Executionlangflowprompt-injectionrcepython-replagentic-execution