AI Tools Are the New CVE Target. What the 2026 Advisories Show, and Catching the Weak-Secret Class with Benteng.

Pull the critical advisories from the GitHub Advisory Database this year and a pattern jumps out. Alongside the usual routers and CMS plugins, a whole cluster of the highest-severity entries are self-hosted AI and LLM tools. These are the frameworks people run to wire agents to their own data, and they are shipping fast enough that the security basics, authentication and safe deserialization, have not caught up.
The 2026 AI-infra cluster
- Langflow OSS, three criticals at once. Remote code execution for anyone who can reach its Redis (CVE-2026-7871, CVSS 9.8, unsafe deserialization). Unauthenticated access to protected MCP endpoints (CVE-2026-7663, 9.1). And a weak random generator that discloses every stored credential (CVE-2026-7874, 9.1).
- Flowise, a weak hardcoded default secret that signs sessions, so tokens are forgeable (CVE-2026-56278, 9.1, CWE-798).
- txtai, a
/reindexAPI that executes an attacker-supplied function body, straight code execution on the host (CVE-2026-58449, 9.8, CWE-94). - Crawl4AI, arbitrary JavaScript execution through its Docker API surface (CVE-2026-56264, 8.1).
The shapes repeat: no auth on an endpoint that runs code, a datastore left reachable, a default secret nobody changed, a request body handed to an interpreter. This is the OWASP LLM Top 10 in the wild, LLM03 supply chain and LLM06 excessive agency, landing as real CVEs.
Using our own tool on it, and finding a gap
We build Benteng, a defensive security hub, so we pointed its secret scanner at the Flowise class, a signing secret with a weak hardcoded default. The vulnerable shape is familiar:
const JWT_AUTH_TOKEN_SECRET = process.env.JWT_AUTH_TOKEN_SECRET || "flowise";
The scanner flagged the obvious leaked keys in the file, but it walked right past the actual bug, the || "flowise" fallback. That default is the whole vulnerability: if the environment variable is unset, every token is signed with a public word, and anyone can forge an admin session. Our tool missed it. So we fixed the tool first.
We added two checks: a hard fail when a secret is assigned a known-weak literal (changeme, secret, admin, default), and a warning when a secret falls back to a short hardcoded string. Now the detection is honest:
BEFORE (vulnerable)
FAIL hardcoded weak/default secret (CWE-798)
WARN secret falls back to a short hardcoded default
AFTER (fixed: read from env, require length, no fallback)
PASS no known key formats or hardcoded credentials found
The fix in the code is small and the same one Flowise shipped: take the secret from the environment only, require a real length, and fail closed if it is missing.
const s = process.env.JWT_AUTH_TOKEN_SECRET;
if (!s || s.length < 32) throw new Error("set a strong 32+ char secret");
Benteng's Secret scanner tab now catches that class, and the JWT inspector shows why a forgeable HMAC token is a problem in the first place.
If you self-host an AI tool, the checklist
The CVEs differ but the hardening is the same short list, and it is now a tab in Benteng:
- Never expose the tool or its datastores (Redis, database, vector store) to the internet. Bind localhost, reach it over a VPN.
- Require auth on every endpoint, including admin, API, and MCP routes.
- No default or hardcoded secrets. Read from a secret store, require length, rotate on deploy.
- Treat flows, tools, and request bodies as untrusted. Never deserialize or eval them.
- Least privilege per connector, and do not leave a reader and a sender live at once without a gate.
- Pin and patch fast. Watch the GitHub Advisory Database for your AI dependencies.
The takeaway
The interesting shift is not that AI tools have bugs, it is that they have the same boring bugs, missing auth and default secrets and unsafe deserialization, on top of a component that can run code and reach your accounts. That combination is why a 9.8 lands so easily. The defense is old and unglamorous: scan the config and the inputs, keep the datastores private, and never ship a default secret. The new AI infra tab and the weak-secret detection are both live at palugadahub.com/sec, defensive and free.
Building an AI agent?
I'm packaging how I ship them into one kit. Early access:
AI Agent Starter Kit →