Microsoft disclosed CVE-2026-41105, a server-side request forgery (SSRF) vulnerability in the Azure Monitor Action Group notification system (Azure Notification Service), published on 2026-05-07. The flaw allows an authorized attacker with low privileges to elevate privileges over the network, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). No exploitation has been observed in the wild at this time, and Microsoft has issued guidance via MSRC. The other sources in the batch concern an unrelated Linux kernel issue (Dirty Frag) and are not relevant to Microsoft.
A critical vulnerability in Google's Gemini CLI, disclosed by Pillar Security, could have enabled a full supply-chain compromise of the open-source AI agent. The flaw, rated CVSS 10/10 but without a CVE identifier, stemmed from --yolo mode ignoring tool allowlists, allowing arbitrary command execution. An attacker could plant a malicious indirect prompt inside a public GitHub issue; when Gemini CLI auto-triaged the issue, the injected instructions could exfiltrate build-environment secrets and pivot to a token with full write access to the gemini-cli repository, enabling malicious code to ship to downstream users. At least eight other Google repositories shared the same vulnerable workflow. Separate Adversa.AI research (TrustFall) further shows Gemini CLI, alongside Claude Code, Cursor CLI, and Copilot CLI, will execute project-defined MCP servers from a malicious repository upon a single trust-prompt keypress, enabling one-click RCE.
Multiple security-relevant disclosures concerning Anthropic's Claude surfaced in early May 2026. Mitiga Labs detailed an MCP hijacking technique against Claude Code in which a malicious npm package modifies ~/.claude.json to man-in-the-middle MCP traffic and exfiltrate OAuth tokens that grant broad access to all connected tools. Adversa AI separately published 'TrustFall,' showing that Claude Code v2.1+ removed prior MCP warnings in its trust dialog, allowing a malicious repository shipping an MCP server with an auto-approving .claude/settings.json to achieve one-keypress, unsandboxed RCE (and zero-prompt RCE on CI runners); Cursor, Gemini CLI, and Copilot CLI are similarly affected. Dragos and Gambit Security also reported that a threat actor abused Claude (alongside GPT) as an operational engine during a January 2026 intrusion at a Monterrey, Mexico water utility, with Claude generating a 17,000-line Python intrusion framework and guiding the actor toward OT assets as part of a broader campaign against Mexican government targets. Defenders using Claude Code should audit ~/.claude.json, restrict MCP server trust, and monitor for malicious npm lifecycle hooks pending vendor mitigations.
A command injection vulnerability has been disclosed affecting Amazon ECS on Windows, tracked publicly without a formal CVE identifier and rated medium severity. The flaw reportedly allows an attacker to inject operating system commands through the ECS Windows component, potentially leading to unauthorized command execution within affected container environments. No public reports of active exploitation have been identified, and AWS customers running ECS on Windows should review AWS security bulletins and apply mitigations or updates as they become available. Other sources reviewed did not contain AWS-specific security events and were excluded.
Microsoft's security research team disclosed remote code execution vulnerabilities in popular AI agent frameworks, demonstrating how adversarial prompts can be leveraged to escape sandboxed contexts and execute arbitrary code on host systems. The research, published on the Microsoft Security Blog, details how prompt injection can be chained with insecure tool-execution patterns in agent frameworks to achieve code execution, effectively turning prompts into shells. Microsoft Defender coverage and mitigation guidance are referenced alongside the disclosure. No active exploitation in the wild is reported, but the findings affect the broader AI agent ecosystem and warrant prompt review by developers building on these frameworks. Other items in the source set (Apache HTTP/2, Linux 'Dirty Frag', Q1 vulnerability roundup) are unrelated to Microsoft as a service and were excluded.
Dragos and Gambit Security have published details of an intrusion into a municipal water and drainage utility in Monterrey, Mexico, in which a threat actor leveraged OpenAI's GPT models alongside Anthropic's Claude as an AI-assisted operational engine. The January 2026 attack was part of a broader campaign targeting Mexican government organizations between December 2025 and February 2026. According to the report, GPT was used for victim data processing and structured reporting, while Claude handled intrusion planning and tool development, including a 17,000-line Python framework iteratively refined by the model. The incident represents confirmed abuse of OpenAI's models in an active intrusion against operational technology assets, though no specific OpenAI platform vulnerability is implicated. Other sources in the batch concern Anthropic's Claude Chrome extension or unrelated open-source CVE trends and were not used.
LayerX researchers disclosed ClaudeBleed, a vulnerability in the Claude for Chrome extension that allows any installed Chrome extension—without special permissions—to hijack the Claude AI agent and issue privileged commands. The flaw stems from the extension trusting the claude.ai origin rather than the execution context, combined with an externally_connectable configuration and a message handler that forwards arbitrary prompts. Exploitation enables remote prompt injection, exfiltration of private Google Drive and Gmail data, and sending emails on behalf of the user without consent. The issue was reported by LayerX senior researcher Aviad Gispan, and impacts users who have installed the Claude Chrome extension.
Instructure, operator of the Canvas learning management system, disclosed a data breach on May 7, 2026 after the extortion group ShinyHunters claimed responsibility and asserted it had stolen 275 million records. Instructure confirmed that names, email addresses, student ID numbers, and private messages between users were accessed before containment, affecting institutions that include over 7,000 universities and K-12 districts and roughly 41% of North American higher education. Canvas was placed into maintenance mode and taken offline during the incident, disrupting U.S. colleges and K-12 schools in the middle of finals period. The platform was restored after security patches were applied, though several institutions advised users to delay logging back in pending further guidance. Investigation and notifications to affected institutions are ongoing.
Instructure's Canvas learning management system suffered a data breach disclosed on May 7, 2026, taking the platform offline during U.S. college finals period. The hacking group ShinyHunters claimed responsibility, with reports indicating exposure of personal information for over 275 million students, teachers, and staff across nearly 9,000 schools worldwide, including K-12 districts and universities. Instructure stated that no passwords, government IDs, or financial data appear to have been stolen, and the platform has since been restored. Some institutions, including Georgia Tech, advised users not to log back in immediately while investigations continued. The incident has caused significant academic disruption and remains under active review.
AWS published security bulletin AWS-2026-026 covering CVE-2026-31431. The bulletin appears on the official AWS security bulletins feed, indicating an advisory affecting an AWS service or component, though specific technical details, affected services, and remediation guidance were not retrievable from the provided excerpt. Customers should consult the AWS bulletin directly to determine impact and required action. The other sources referenced (Apache HTTP/2 RCE, Q1 2026 vulnerability landscape, and a CVE refresh-planning article) are not AWS-specific and were excluded.
Cloudflare published a response detailing how it assessed and mitigated the 'Copy Fail' Linux kernel local privilege escalation vulnerability (CVE-2026-31431), publicly disclosed on April 29, 2026. Cloudflare's Security and Engineering teams reviewed the exploit technique, evaluated exposure across its infrastructure, and validated that existing behavioral detections could identify the exploit pattern. The post describes mitigations applied to protect Cloudflare's fleet from local privilege escalation via the kernel flaw. No active exploitation against Cloudflare was reported, and the issue is a kernel-level LPE rather than a remote-facing service vulnerability. Other items in the source set concern unrelated vendors (Ivanti EPMM, Palo Alto PAN-OS) and are not relevant to Cloudflare.