AI workflow platforms and agent frameworks are now production attack surface. This issue covers a critical cross-tenant data exposure in the most widely deployed open-source AI workflow tool, a host-level remote code execution chain through AI browsing agents, and the first confirmed real-world exploit developed using AI — as CERT-In's new blueprint puts AI-assisted attack response on a 12-hour clock for Indian organisations. The Five Eyes intelligence alliance issued a joint warning on June 22 that AI will outpace prevailing cyber defences within months, not years.
1CriticalCVSS 9.1
DifyTap: four vulnerabilities in Dify expose cross-tenant AI conversations, internal APIs, and documents across 1 million-plus applications (CVE-2026-41947 CVSS 9.1, CVE-2026-41948 CVSS 9.4, CVE-2026-41949, CVE-2026-41950)
Zafran Security disclosed four vulnerabilities in Dify, the open-source AI workflow platform that powers over one million production applications. Two are critical. CVE-2026-41947 allows any authenticated user to configure tracing on a different tenant's application and silently collect all future conversation data from that tenant. CVE-2026-41948 exploits insufficient path sanitisation in the Plugin Daemon to reach its internal REST API without authorisation. CVE-2026-41949 and CVE-2026-41950 allow any authenticated user to read documents and files belonging to other users or tenants by supplying a direct UUID reference. Dify version 1.14.2 addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950; a fix for CVE-2026-41948 has been merged on GitHub but is not yet in a stable release.
Why it matters for IndiaIndian GCCs, SaaS teams, and enterprises building AI workflows and customer-facing chatbots on Dify face cross-tenant exposure of customer conversations, uploaded documents, and internal prompts — any tenant on a shared or self-hosted instance is potentially within reach.
ActionUpgrade to Dify v1.14.2 immediately for the three patched CVEs; deploy WAF rules blocking path traversal to Plugin Daemon endpoints until the CVE-2026-41948 fix ships; audit tracing configurations and document access logs for anomalous cross-tenant references.
SourceZafran Security; The Hacker News; Security Affairs; NVD (22 June 2026).
2
AutoJack: a malicious webpage can chain three weaknesses in AutoGen Studio to achieve host-level remote code execution through an AI browsing agent
Microsoft's Defender Security Research Team published AutoJack on 18 June 2026, demonstrating how attacker-controlled web content loaded by a local AI browsing agent can reach an AutoGen Studio MCP WebSocket listener and spawn arbitrary processes on the host. Three weaknesses are chained: the browsing agent runs as localhost and passes origin allowlist checks; the MCP WebSocket endpoint requires no authentication; and attacker-controlled parameters are passed directly to shell execution. No credentials are required after the agent loads the attacker's page. The vulnerability exists in development builds of AutoGen Studio; the stable v0.4.2.2 release on PyPI does not include the MCP route and is not exposed. A fix is available in GitHub main (commit b047730, PR #7362) but has not yet shipped as a stable release.
Why it matters for IndiaDeveloper teams and GCCs using AI agents for automated web research, internal portal interaction, or data extraction pipelines face a class of risk where loading an untrusted page hands the host OS to an attacker. The underlying pattern — unauthenticated local MCP service reachable from browser context — is not unique to AutoGen Studio.
ActionDo not run development builds of AutoGen Studio in production; require authentication on all MCP and local agent control channels; run AI browsing agents in isolated containers or virtual machines with no access to host credentials or internal services; verify all local agentic framework listeners before deployment.
SourceMicrosoft Security Blog; BleepingComputer; CSO Online (18 June 2026).
3
First confirmed real-world AI-developed zero-day exploit: criminal group used AI to write a 2FA bypass against a web administration tool, disrupted before mass exploitation (Google GTIG, May 2026)
Google Threat Intelligence Group (GTIG) confirmed the first known instance of a threat actor using AI to develop a working zero-day exploit and deploy it against real infrastructure. The target was a popular open-source web administration tool; the exploit was a Python script that bypassed two-factor authentication by abusing a hardcoded trust exception in the login flow. GTIG identified AI authorship from artefacts in the code: a hallucinated CVSS score, over-explanatory comments, and formatting inconsistent with human developer practice. The criminal group planned a mass exploitation event; Google worked with the vendor and disrupted the campaign before broad impact. Google's BigSleep AI agent was used to isolate the specific logic flaw. GTIG assessed this as the first case of an AI agent being used offensively to develop an exploit deployed in a real campaign.
Why it matters for IndiaAI-assisted exploit development compresses the timeline between vulnerability disclosure and mass exploitation. Indian organisations running internet-facing admin panels with custom authentication logic — common in legacy government, BFSI, and healthcare systems — face this accelerated threat window.
ActionPrioritise security review of internet-facing administration interfaces, particularly those with custom 2FA or trusted-device logic; move authentication to audited, well-maintained libraries rather than custom implementations; treat any internet-exposed admin panel as a high-value target requiring network-layer access controls and enhanced monitoring.
SourceGoogle Cloud / GTIG blog; CNBC; The Hacker News (11 May 2026).
4
CERT-In releases AI-assisted exploitation defence blueprint; mandates 12-hour patching for internet-facing known-exploited vulnerabilities (25 May 2026)
India's CERT-In published its 38-page "Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure" on 25 May 2026. The document codifies the patching cadence that Indian organisations should now plan against: known-exploited internet-facing vulnerabilities — patch, mitigate, or isolate within 12 hours where feasible; critical internet-facing vulnerabilities — one day; high-severity internal vulnerabilities — five days. The blueprint explicitly recognises that AI tools are now deployed in attacker workflows for surface discovery, exploit analysis, phishing content generation, and malware creation. Section 12 covers agentic AI governance: define operational boundaries and tool permissions for each agent, maintain an AI asset inventory, implement continuous audit logging, and establish documented emergency shutdown procedures.
Why it matters for IndiaThis is the compliance baseline Indian organisations should measure their patch and response velocity against. The CERT-In blueprint effectively maps the AI threat ecosystem onto operational timelines — 12 hours is no longer a suggestion in an emergency, it is the documented standard.
ActionMap current patch SLAs against the CERT-In timelines and identify gaps; prioritise internet-facing systems with known-exploited CVEs for immediate remediation windows; implement the agentic AI governance controls in Section 12 before deploying production AI agents.
SourceCERT-In (cert-in.org.in), Version 1.0, 25 May 2026; The Hacker News; The Register; Medianama.
AI defender tip: The common failure pattern across this issue is AI infrastructure — workflow platforms, agent frameworks, local MCP listeners — deployed with the access privileges of production systems but without the security controls applied to production software. Apply the same baseline to any component an AI agent touches: authenticated access only, network segmentation, audit logging of all tool calls and external connections, and a tested shutdown procedure. An AI workflow platform that handles customer data is a production system; treat it accordingly.
Nirad Threat Research
Nirad AI Threat Watch | Bharat-first threat intelligence
