Workers AI experiencing degraded availability in some models
We are continuing to investigate this issue.
the live wire
Verified launches, security shifts, and AI service health. Primary reports first; noise and speculation stay out.
live signals
14
needs attention
We are continuing to investigate this issue.
Inkling is an open-weight multimodal mixture-of-experts model from Thinking Machines Lab, with 41B active parameters out of 975B total. It is designed for general-purpose reasoning, coding, agentic and tool-use systems,...
Kimi K3 is a 2.8T parameter open-weight multimodal reasoning model from Moonshot AI. It is suited for complex coding, knowledge work, and long-horizon agentic workflows, and is particularly strong at...
Summary @andrea9293/mcp-documentation-server v1.13.0 documents that a Web UI starts automatically on port 3080. However, the Web UI/API appears to bind to all network interfaces by default (:3080 / 0.0.0.0:3080) instead of localhost-only, and its document-management API endpoints do not require authentication. As a result, any network-reachable client on the same LAN, VM network, or container bridge can access the document-admin API without credentials. In my reproduction, I was able to enumerate documents, add a document, read its full content, search…
Summary The TypeScript Prompty loader used gray-matter without overriding executable frontmatter engines. gray-matter supports JavaScript frontmatter blocks such as ---js and evaluates them while parsing. An attacker-controlled .prompty file could therefore execute arbitrary JavaScript during prompt loading. Affected package - npm @prompty/core v2 prerelease line: >= 2.0.0-alpha.1 < 2.0.0-beta.3 - Fixed in @prompty/[email protected] The legacy v1 JavaScript runtime had a historical hardening change for this issue. During the v2 TypeScript runtime rebuil…
Summary Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that the resolved path stayed within an authorized directory. An attacker-controlled prompt file could use path traversal or an absolute path to cause the host application to read files accessible to the process. Affected packages - PyPI prompty versions <= 2.0.0b1; fixed in 2.0.0b2 - npm @prompty/core versions <= 2.0.0-beta.1; fixed in 2.0.0-beta.2 - crates.io prompty versions <= 2.0.0-beta.1; fixed in 2.0.0-beta.2 - NuGet Prompty.Core versions <= 2.0.0-be…
X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token Summary AuthInjectionMiddleware in meta-ads-mcp rejects HTTP MCP requests only when both authtoken and pipeboardtoken are absent. Because extracttokenfromheaders() does not recognise the X-Pipeboard-Token header, an attacker who sends that header with any arbitrary value produces authtoken = None and pipeboardtoken = , making the guard condition evaluate to False and passing the request through. No authentication context is set; the token getter falls back to the server operator's METAACCES…
Server-Side Request Forgery (SSRF) in uploadadimage via Unrestricted imageurl Fetch Summary The uploadadimage MCP tool in meta-ads-mcp v1.0.113 passes an attacker-controlled imageurl parameter directly to an HTTP fetch helper (httpx.AsyncClient(followredirects=True).get(url)) without any scheme, host, or IP address validation. When the server is deployed with the streamable-http transport (a documented, officially supported mode), an unauthenticated remote attacker can supply an arbitrary URL—including http://127.0.0.1/, RFC 1918 addresses, or cloud met…
Summary The structuredoutputs.regex API parameter passes a user-supplied regex string directly to grammar compiler backends with no compilation timeout. In the xgrammar backend, the string reaches compileregex() with no guard. In the outlines backend, validateregexisbuildable() blocks structural issues (lookarounds, backreferences) but provides zero protection against exponential DFA state-space explosion. Patterns like (a+)+b pass all checks and hang the inference worker. Root Cause backendxgrammar.py:91 — no timeout: python ctx = self.compiler.compile…
Summary A frontend-legal multi-request speculative workload can make vLLM produce an out-of-vocabulary recovered token equal to vocabsize, convert that value to -1 when choosing the next live token for a request, and then feed that -1 back into the next drafter input ids. On Qwen3 GPTQ this reaches the worker-side drafting / attention path and crashes the engine with a GPU device-side assert. The same issue is reachable through the public gRPC request surface by sending a specific overlapping Generate / Abort sequence. Impact - A remote client that can…
Summary In affected versions, the deprecated WebSocket server transport (mcp.server.websocket.websocketserver) accepted the WebSocket handshake without applying any Host or Origin header validation. The TransportSecuritySettings mechanism that the SSE and Streamable HTTP transports use for this purpose was not wired into the WebSocket transport, so there was no SDK-level way to restrict which origins could connect. Am I affected? Only if a developer's application server exposes mcp.server.websocket.websocketserver. This transport has never been part of…
Summary In affected versions, the SSE and Streamable HTTP server transports routed incoming requests to an existing session based only on the session identifier, without verifying that the request was authenticated as the same principal that created the session. Anyone who learned or guessed a session ID could send JSON-RPC messages on that session, regardless of which bearer token the request carried. Am I affected? Only if a developer's application server uses an HTTP transport (SSE, or Streamable HTTP in stateful mode) and authenticates requests. Ser…
Summary In affected versions, the default request handlers installed by the experimental tasks feature (server.experimental.enabletasks()) did not check which session created a task before acting on it. On a server with more than one connected client, any client could observe, read results from, and cancel tasks belonging to other clients. Am I affected? Only if the developer's application server calls server.experimental.enabletasks(). If grep -r enabletasks over their codebase finds nothing, the application is not affected. Details When tasks support…
Summary Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command. Details The repository uses StdioServerParameters which is based on Anthropic's modelcontextprotocol open source, inside the code - src/langbot/pkg/provider/tools/loaders/mcp.py - StdioServerParameters is imported from mcp, which executes a given command which runs a subprocess on the target machine. Since the LangBot services are authenticated, an attacker finding…
Some users are unable to access Codex is no longer listed as an active incident by OpenAI.
incident timeline