PWA & Startup Breaches
Langflow: one unauthenticated POST turns an AI workflow builder into a shell
Langflow, an open-source AI agent workflow builder, shipped endpoints that execute attacker-supplied code without authentication — CVE-2025-34291 (CVSS 9.4) and CVE-2026-33017 (CVSS 9.8), the latter weaponized within 20 hours of disclosure to deploy Monero cryptominers on exposed servers.
Chat & Ask AI: 300 million messages readable by anyone with the project URL
The AI app Chat & Ask AI exposed around 300 million messages tied to 25 million users because its Firebase Security Rules were set to public, letting anyone with the project URL read, modify, or delete data without authentication.
Flowise CustomMCP: a config field piped straight into Function() gives CVSS 10 RCE
Flowise's CustomMCP node passed the untrusted mcpServerConfig field into JavaScript's Function() constructor, giving unauthenticated remote code execution (CVSS 10.0) on instances without API-key protection.
The Tea app breach: a Firebase database left open, then an API that trusted any user
The women's safety app Tea suffered two breaches rooted in authentication and authorization failures: a Firebase database left open because security policies were never configured, and a second flaw letting any user use their own API key to download other users' chats.
The vibe-coding RLS epidemic: AI-built apps shipped with no lock on the database
Apps generated by the AI builder Lovable frequently shipped Supabase backends with Row-Level Security missing — so anyone with the public key could read private tables. A scan of 1,645 apps found roughly 170 exposed.
OmniGPT: 34 million chat lines leaked — with the credentials and keys users pasted in
A threat actor claimed to have breached AI chatbot OmniGPT and leaked around 30,000 user emails and phone numbers plus 34 million lines of chat messages that reportedly contained credentials, API keys, and billing details users had pasted into conversations.
Ollama in the open: 1,139 LLM servers on Shodan, hundreds answering with no auth
Cisco used Shodan to find 1,139 internet-exposed Ollama instances on port 11434, of which 214 were actively serving live models with no authentication — open to arbitrary prompts, model extraction, and resource abuse.
The unlocked memory of AI apps: exposed vector databases with no authentication
Vector databases that back RAG applications are frequently deployed with no authentication, letting attackers who reach them exfiltrate embeddings, partially reconstruct source documents via model inversion, and poison retrieval — a documented misconfiguration class.
sk- in the browser: thousands of OpenAI keys shipped in client code and public repos
Cyble found OpenAI API keys exposed at scale — over 5,000 GitHub repositories and around 3,000 public websites shipping sk- keys in client-side JavaScript or committed source, where automated scanners abuse them within hours or minutes.
The PWA that installs like a native app — and the push channel that phishes you after
ESET documented phishing that installs banking-app lookalikes as WebAPKs with no untrusted-source warning, and Matrix Push C2 shows how the browser push channel is then abused to deliver spoofed OS-level notifications carrying phishing and malware.
The .env harvest: 90,000 secrets scraped from exposed files, then cloud extortion
Unit 42 documented an extortion campaign that scanned the internet for publicly exposed .env files, harvested over 90,000 environment variables including cloud, SaaS, and AI keys across 110,000 domains, then used them to break into cloud accounts and extort victims.
WotNot's open bucket: 346,000 passports and medical records with no password
AI chatbot startup WotNot left a Google Cloud Storage bucket of 346,381 files — including passport scans, medical records, and resumes — accessible to anyone on the internet with no authentication.
Sisense: a hardcoded token in the code repo unlocked terabytes of customer data
Attackers reached Sisense's self-managed GitLab repository, found a hardcoded credential to the company's Amazon S3 buckets, and exfiltrated several terabytes of customer data including access tokens, email passwords, and SSL certificates — prompting a rare CISA warning.
The XSS that won't die: service-worker cache poisoning in PWAs
A single same-origin XSS in a Progressive Web App can be escalated into a persistent person-in-the-middle over cached content — one that outlives the original XSS fix.
The ChatGPT Redis bug: a cancelled request handed you a stranger's chat history
A race condition in the open-source redis-py client let cancelled requests return another user's cached data, exposing chat titles and, for about 1.2% of ChatGPT Plus subscribers, some billing information.