DJBSEC's CyberNews 2026-05-08
Today’s daily news covers the following categories: Vulnerability Threat Intelligence Nation-State/APT
Ollama Vulnerability Highlights Danger of AI Frameworks with Unrestricted Access
Vulnerability
A critical Ollama vulnerability, dubbed “Bleeding Llama,” shows how risky AI frameworks can become when they are exposed without authentication or access controls. The flaw, tracked as CVE-2026-7482, allows unauthenticated attackers to upload a specially crafted model file and trigger a memory leak from the Ollama process. That leaked memory could include prompts, system instructions, user messages, environment variables, API keys, tokens, proprietary code, and customer data. Researchers estimate that roughly 300,000 Ollama servers are exposed to the public internet, making this a serious enterprise risk. Organizations should update to Ollama 0.17.1, restrict access, place instances behind authentication, and rotate secrets if the server was ever internet-facing.
Claude Code Trust Prompt Can Trigger One-Click RCE
Vulnerability
Security researchers disclosed a proof-of-concept attack called “TrustFall” that can turn a simple trust prompt in Claude Code into remote code execution. The attack relies on a cloned repository containing project configuration files that silently enable an attacker-controlled MCP server. Once a developer approves the generic “trust this folder” prompt, the malicious server can run as an unsandboxed Node.js process with the user’s privileges. Researchers argue the warning is not explicit enough because users may not understand that trusting the folder can also approve executable MCP behavior. The bigger takeaway is that AI coding tools are becoming part of the software supply chain, and their project-level trust models need much stronger guardrails.
New Cisco Network Vulnerability Lets Remote Attackers Cause DoS
Vulnerability
Cisco disclosed a high-severity vulnerability affecting Cisco Crosswork Network Controller and Network Services Orchestrator. The flaw, tracked as CVE-2026-20188, allows an unauthenticated remote attacker to trigger a denial-of-service condition by flooding affected systems with connection requests. Because the vulnerable software does not properly rate-limit incoming connections, the attacker can exhaust available resources and make the platform unresponsive. Cisco says affected systems may require a manual reboot to recover, which raises the operational impact for network teams. There are no workarounds, so organizations running affected versions need to upgrade to fixed releases as soon as possible.
World’s First AI-Driven Cyberattack Couldn’t Breach OT Systems
Threat Intelligence
Dark Reading reported on what researchers describe as the first recorded truly AI-directed cyberattack campaign. The attackers used Claude Code heavily to build an exploitation framework and guide intrusions against Mexican government targets, resulting in stolen tax, property, and other government records. However, when the attackers tried to pivot from IT systems into operational technology at a Monterrey water and drainage utility, they hit a wall. The AI helped identify a possible industrial gateway and suggested credential attacks, but the attackers failed to gain OT access and left with only limited IT-side data. The story is important because it shows both the real threat of AI-assisted hacking and the continued value of strong OT segmentation and access controls.
Critical Redis Vulnerabilities Enable Remote Code Execution Attacks
Vulnerability
Redis disclosed five vulnerabilities affecting Redis Cloud, Redis Software, and open-source Redis editions. The flaws require authenticated access, but successful exploitation could allow remote code execution, system compromise, data theft, or service disruption. Several issues involve memory corruption conditions in Redis commands and modules, including RESTORE, RedisTimeSeries, RedisBloom, and Lua scripting paths. Redis Cloud deployments have already been patched, but self-managed Redis environments need to be upgraded to fixed versions. Administrators should also restrict network access, enforce strong authentication, keep protected mode enabled, and apply least-privilege permissions for dangerous commands.
PAN-OS Firewall RCE Zero-Day Exploited in Attacks Since April 9
Nation-State/APT
Palo Alto Networks warned that suspected state-sponsored attackers have been exploiting a critical PAN-OS zero-day for nearly a month. The flaw, CVE-2026-0300, affects the PAN-OS User-ID Authentication Portal and can allow unauthenticated remote code execution with root privileges on exposed PA-Series and VM-Series firewalls. Unit 42 is tracking the activity as CL-STA-1132 and says attackers successfully exploited the flaw, injected shellcode, and then cleaned logs and crash artifacts to reduce detection. After compromise, attackers deployed tunneling tools such as Earthworm and ReverseSocks5 to support covert access and proxying. Until patches are available, organizations should restrict the User-ID Authentication Portal to trusted zones only or disable it if that is not possible.
Critical Ollama Memory Leak Vulnerability Exposes 300,000 Servers Globally
Vulnerability
A major Ollama flaw called “Bleeding Llama” could expose sensitive data from local AI infrastructure. The vulnerability allows unauthenticated attackers to abuse Ollama’s model creation process with a malicious GGUF file that causes an out-of-bounds heap read. Researchers say the attack can preserve leaked memory inside a newly created model and then exfiltrate it through Ollama’s push functionality. The leaked data may include user prompts, system prompts, environment variables, API keys, internal instructions, proprietary code, and customer content. Organizations should upgrade to Ollama 0.17.1, remove public exposure, add authentication, restrict access to trusted networks, and rotate secrets if the service was exposed.
Google Chrome 148 Released with Fix for 127 Security Vulnerabilities
Vulnerability
Google released Chrome 148 for Windows, Mac, and Linux with fixes for 127 security vulnerabilities. Three of the patched flaws are rated Critical, including an integer overflow in Blink and use-after-free issues in Mobile and Chromoting. The release also fixes multiple high-severity memory-safety bugs in components like V8 and ANGLE, which are especially concerning because they can be abused through malicious web pages. Google credited external researchers and automated security testing tools for many of the discoveries. Users and organizations should update Chrome immediately to version 148.0.7778.96 or 148.0.7778.96/97, depending on platform.
Mozilla Says AI Helped Squash 423 Firefox Security Bugs
Threat Intelligence
Mozilla says AI-assisted security work helped drive a major jump in Firefox bug fixes during April. The company fixed 423 Firefox security bugs that month, compared with 76 in March and an average of about 21.5 per month last year. Mozilla previously said Anthropic’s Mythos Preview model found 271 of those issues in Firefox 150, though the article notes that the tooling around the model may be just as important as the model itself. Some of the bugs included difficult-to-find sandbox escapes and a 20-year-old high-severity heap use-after-free issue. The story points to a growing trend: AI is not just helping attackers move faster, it is also becoming a serious tool for defenders and secure development teams.
13 New Critical Holes in JavaScript Sandbox Allow Execution of Arbitrary Code
Vulnerability
Researchers disclosed 13 critical vulnerabilities in the vm2 JavaScript sandbox package, which is used to run untrusted code inside Node.js environments. Some of the flaws can allow sandbox escape and arbitrary command execution on the host system. One major issue, CVE-2026-26956, can let attacker-controlled code running inside VM.run() obtain access to the host process and execute commands under certain Node.js conditions. Another serious issue, CVE-2026-44007, involves the NodeVM nesting option and may affect a broader set of deployments. Developers using vm2 should upgrade to version 3.11.2 and carefully review any application that accepts or executes user-supplied JavaScript.
Enjoy Reading This Article?
Here are some more articles you might like to read next: