- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
Flowise AI RCE + SimpleHelp CVSS 10: Patch These Now
Daily Tech Hack Global — public AI, technology, and cybersecurity news briefing for 2026-06-13.
Critical AI workflow, remote support, and cloud migration CVEs with practical defensive steps
Central thesis: This briefing focuses on authenticated-but-dangerous control planes: AI workflow builders, remote-support identity flows, and migration tooling can become high-impact paths when authorization or sandboxing fails.
Question answered: Which systems should security teams patch or audit first today?
Chapters:
00:00 Who is affected and what to do now
00:35 Flowise AI workflow remote code execution
01:25 SimpleHelp OIDC authentication bypass
02:15 Red Hat migration-planner cloud migration risks
03:10 Defensive checklist
Sources and confirmed facts:
1. Flowise AI workflow RCE patched in 3.1.2
Publisher/source: NVD
URL: https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2
Confirmed facts: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.
Why it matters: Authenticated users or API keys could submit JavaScript to a custom function route; NVD says common deployments could allow NodeVM sandbox escape and command execution on the server host.
2. SimpleHelp OIDC signature bypass can create technician sessions
Publisher/source: NVD
URL: https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
Confirmed facts: SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
Why it matters: NVD rates this CVSS 10.0: forged identity tokens may be accepted without signature verification, potentially bypassing MFA and creating authenticated technician access.
3. Red Hat migration-planner S3 URL access-control flaw exposes OVA images
Publisher/source: NVD
URL: https://access.redhat.com/security/cve/CVE-2026-53470
Confirmed facts: A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
Why it matters: Authenticated attackers could bypass ownership checks and obtain presigned S3 URLs for other users OVA images, exposing long-lived agent JWTs and source configuration.
4. Red Hat migration-planner authorization flaw risks SaaS data destruction
Publisher/source: NVD
URL: https://access.redhat.com/security/cve/CVE-2026-53469
Confirmed facts: A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Why it matters: NVD says an authenticated user could send a destructive request lacking proper authorization and filtering, affecting sources, agents, and assessments across the SaaS platform.
Analysis is clearly separated from confirmed source facts. No exploit code or attack instructions are included.
#AI #ArtificialIntelligence #Cybersecurity #TechNews #CloudSecurity #Developers #DailyTechHackGlobal
Видео Flowise AI RCE + SimpleHelp CVSS 10: Patch These Now канала dailytechhackglobal
Critical AI workflow, remote support, and cloud migration CVEs with practical defensive steps
Central thesis: This briefing focuses on authenticated-but-dangerous control planes: AI workflow builders, remote-support identity flows, and migration tooling can become high-impact paths when authorization or sandboxing fails.
Question answered: Which systems should security teams patch or audit first today?
Chapters:
00:00 Who is affected and what to do now
00:35 Flowise AI workflow remote code execution
01:25 SimpleHelp OIDC authentication bypass
02:15 Red Hat migration-planner cloud migration risks
03:10 Defensive checklist
Sources and confirmed facts:
1. Flowise AI workflow RCE patched in 3.1.2
Publisher/source: NVD
URL: https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2
Confirmed facts: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.
Why it matters: Authenticated users or API keys could submit JavaScript to a custom function route; NVD says common deployments could allow NodeVM sandbox escape and command execution on the server host.
2. SimpleHelp OIDC signature bypass can create technician sessions
Publisher/source: NVD
URL: https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
Confirmed facts: SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
Why it matters: NVD rates this CVSS 10.0: forged identity tokens may be accepted without signature verification, potentially bypassing MFA and creating authenticated technician access.
3. Red Hat migration-planner S3 URL access-control flaw exposes OVA images
Publisher/source: NVD
URL: https://access.redhat.com/security/cve/CVE-2026-53470
Confirmed facts: A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
Why it matters: Authenticated attackers could bypass ownership checks and obtain presigned S3 URLs for other users OVA images, exposing long-lived agent JWTs and source configuration.
4. Red Hat migration-planner authorization flaw risks SaaS data destruction
Publisher/source: NVD
URL: https://access.redhat.com/security/cve/CVE-2026-53469
Confirmed facts: A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Why it matters: NVD says an authenticated user could send a destructive request lacking proper authorization and filtering, affecting sources, agents, and assessments across the SaaS platform.
Analysis is clearly separated from confirmed source facts. No exploit code or attack instructions are included.
#AI #ArtificialIntelligence #Cybersecurity #TechNews #CloudSecurity #Developers #DailyTechHackGlobal
Видео Flowise AI RCE + SimpleHelp CVSS 10: Patch These Now канала dailytechhackglobal
Комментарии отсутствуют
Информация о видео
13 июня 2026 г. 17:05:38
00:03:36
Другие видео канала
AI Workflow RCE + CVSS 10 Remote Support: Critical Security Briefing
SimpleHelp Critical Patch Alert #Shorts
AI Is Changing Cybersecurity: Project Glasswing, SOC Reality Check, and Faster Attacks
Critical CVE Briefing: Splunk File Operations, Red Hat Token Exposure, VS Code Privilege Risk
Red Hat Migration-Planner CVEs: Token Exposure and Control-Plane Risk
CVE-2026-48558 SimpleHelp: Critical Security Briefing
AI Security Is Entering a New Era: Vulnerability Discovery, SOC Reality, and Faster Attacks
CVE-2026-53470 Control-Plane Risk #Shorts
Fake CAPTCHA Scam Warning: One Click Can Steal Your Logins
AI Phishing and Voice Cloning Scam Warning #Shorts
Flowise AI RCE + SimpleHelp CVSS 10: Patch These Now
AI Agents Are Now a Supply-Chain Target — What Defenders Must Change
Flowise AI RCE + SimpleHelp CVSS 10: Critical Security Briefing
AI Agents Are Now a Supply-Chain Target — What Defenders Must Change
AI Agents Meet Package Malware #Shorts
Critical Cloud Tool CVEs: Splunk, Red Hat Migration, and Setup Hijack Risks
AI Voice Scam Warning: Verify Before You Pay
AI Voice Scam Warning #Shorts
AI Agents, Secret Scanning & Private Cloud: Tech News Today
Splunk, Red Hat & VS Code Critical CVEs #Shorts
