← Back to Last Week in AI
Week of May 25 2026

Last Week in AI Security — Week of May 25, 2026

Critical vLLM RCE enables server takeover via malicious video; PyTorch Lightning supply chain attack compromises 2.6.2-2.6.3; NIST releases AI RMF Critical Infrastructure Profile concept note.

Key Highlights

  • CVE-2026-22778: Critical vLLM RCE via malicious video URL affects millions of AI servers
  • PyTorch Lightning supply chain attack: versions 2.6.2-2.6.3 compromised April 30
  • NIST releases concept note for AI RMF Profile on Trustworthy AI in Critical Infrastructure
  • CrowdStrike 2026 report: 89% rise in AI-enabled adversary activity, 82% detections malware-free
  • MITRE ATLAS expands to 84 techniques across 16 tactics as of February 2026

Executive Summary

The week of May 25, 2026, underscores a troubling reality: AI infrastructure has become both the target and the weapon. While the previous week highlighted AI’s defensive potential through Project Glasswing’s vulnerability discoveries, this week demonstrates that AI systems themselves have emerged as critical attack vectors requiring immediate attention from security practitioners.

The disclosure of CVE-2026-22778 on February 2—though catching widespread attention this week—reveals how quickly ML infrastructure vulnerabilities can escalate. This critical vLLM flaw allows unauthenticated remote code execution simply by submitting a malicious video URL to the API, affecting deployments serving multimodal models. The vulnerability chains an information disclosure flaw with a heap buffer overflow in OpenCV’s bundled FFmpeg decoder, bypassing ASLR protections and enabling full server compromise. Organizations running vLLM versions 0.8.3 through 0.14.0 face existential risk if multimodal endpoints are exposed.

The PyTorch Lightning supply chain attack on April 30 demonstrates the ML ecosystem’s supply chain fragility. Versions 2.6.2 and 2.6.3 of the widely-used deep learning framework were compromised with obfuscated credential-harvesting payloads, affecting organizations across image classification, LLM fine-tuning, and time-series forecasting workflows. The incident, detected and mitigated in 42 minutes, nonetheless represents a successful infiltration of a package with millions of downloads per month.

Framework and regulatory developments continue to mature. NIST released a concept note on April 7 for an AI RMF Profile specifically targeting critical infrastructure operators, while MITRE ATLAS expanded to 84 techniques across 16 tactics as of February 2026, adding agent-focused attack patterns including “Publish Poisoned AI Agent Tool” and “Escape to Host.” The CrowdStrike 2026 Global Threat Report recorded an 89% year-over-year rise in AI-enabled adversary activity, with 82% of detections now malware-free—a shift that challenges traditional detection paradigms.

Research published this week confirms what practitioners already suspect: prompt injection remains the top LLM application threat, data poisoning requires remarkably few malicious samples to compromise models reliably, and the attack surface for agentic AI systems has expanded beyond what existing controls can effectively address. Organizations must recognize that AI security is no longer a specialized concern—it is core infrastructure risk.

Top Stories

Critical vLLM Remote Code Execution Vulnerability Enables Server Takeover

A critical pre-authentication remote code execution vulnerability in vLLM, tracked as CVE-2026-22778 (CVSS 9.8), was disclosed on February 2, 2026, affecting one of the most widely-deployed Python libraries for serving large language models. The vulnerability allows an attacker to achieve Remote Code Execution (RCE) simply by sending a malicious video link to a vLLM API, requiring no authentication and affecting deployments running multimodal video models.

vLLM is a high-throughput, memory-efficient inference engine for serving large language models in production environments, and has become a widely-adopted solution for organizations deploying LLMs at scale. The vulnerability affects vLLM versions 0.8.3 through 0.14.0 and stems from a chained exploit combining two distinct security flaws.

The first component is an information disclosure vulnerability in error handling. When an invalid image is submitted to a multimodal endpoint, PIL raises an exception that includes the memory address of a BytesIO object, and vLLM returns this error message directly to the client, exposing a heap address. This leaked address is approximately 10.33 GB before libc in memory, reducing the effectiveness of Address Space Layout Randomization (ASLR) from approximately 4 billion possible combinations down to around 8 guesses.

The second component is a heap buffer overflow in the JPEG2000 decoder bundled with OpenCV’s FFmpeg dependency. The JPEG2000 decoder honors a cdef box that can remap color channels, and when Y (luma) is mapped into the U (chroma) plane buffer, the decoder writes a large Y plane into the smaller U buffer, causing a heap overflow. When combined with the leaked address, attackers can reliably corrupt memory and achieve arbitrary code execution.

Out-of-the-box vLLM installations do not require authentication, and the vulnerability can be triggered through the invocations route before authentication is validated. This represents a particularly severe threat model: any organization with a network-accessible vLLM deployment serving video models is vulnerable to complete compromise by unauthenticated attackers.

The patch was released in vLLM version 0.14.1 and includes fixes for both the information leak and the underlying heap overflow. Organizations unable to patch immediately should disable video model endpoints, restrict network access, and enable API key authentication as temporary mitigations, though these do not fully address the vulnerability.

PyTorch Lightning Supply Chain Attack Compromises Widely-Used ML Framework

On April 30, 2026, members of the PyTorch Lightning open source community alerted maintainers to a supply chain security incident affecting PyPI-distributed versions of pytorch-lightning 2.6.2 and 2.6.3, with the attack targeting the distribution layer rather than the source code. The incident represents a successful compromise of a deep learning framework with over 3 million downloads per month.

The affected package is the PyPI package lightning, a widely used deep learning framework that appears in AI project dependency trees for image classification, LLM fine-tuning, diffusion model work, and time-series forecasting, with affected versions including a hidden _runtime directory and an obfuscated JavaScript payload that executes when the module is imported. The official GitHub Security Advisory confirmed that one or more released versions were compromised and introduced functionality consistent with credential harvesting.

Semgrep listed IOCs including commit messages prefixed with EveryBoiWeBuildIsAWormyBoi and repositories with the description A Mini Shai-Hulud has Appeared, referencing the September 2025 Shai-Hulud attack that compromised over 500 npm packages. The naming convention suggests a deliberate attempt to establish a pattern or signature by the threat actor.

The community response was rapid: the malicious versions were identified, quarantined, and users were advised to pin to version 2.6.1 within 42 minutes of initial detection. However, the incident demonstrates the fundamental challenge of securing AI supply chains: review commits around April 30, 2026 and later, paying special attention to commits that add hidden folders, editor tasks, AI tool settings, or new GitHub Actions workflows, as a malicious commit does not need to change application code to be dangerous.

For organizations that installed the compromised versions, the incident requires immediate action: identify all environments where pytorch-lightning 2.6.2 or 2.6.3 was installed, rotate all credentials accessible from those environments, review Git commit history for suspicious additions, and audit CI/CD pipelines for injected workflows that may persist beyond package removal.

NIST Releases Concept Note for AI RMF Critical Infrastructure Profile

On April 7, 2026, NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, which will guide critical infrastructure operators towards specific risk management practices to consider when engaging AI-enabled capabilities. The profile represents NIST’s recognition that AI systems in critical infrastructure sectors—energy, healthcare, financial services, transportation, and communications—require specialized risk management guidance beyond the general AI RMF framework.

The concept note builds on NIST’s existing Generative AI Profile released in July 2024, but focuses specifically on the unique risk environment of critical infrastructure, where AI system failures can have cascading physical and societal consequences. Critical infrastructure operators face distinct challenges: regulatory requirements for safety and reliability, legacy system integration, adversarial threats from nation-state actors, and operational technology constraints that make rapid patching difficult or impossible.

The timing is significant. Organizations face mounting pressure as 65% now use generative AI on a regular basis, nearly double from the previous year, and critical infrastructure sectors have been among the earliest adopters of AI for predictive maintenance, anomaly detection, and operational optimization. The profile will provide sector-specific guidance on mapping AI risks to existing safety frameworks, measuring model reliability in operational environments, and managing AI-related incidents in environments where downtime carries physical consequences.

High-risk AI system obligations begin phased enforcement into 2026, and NIST RMF is widely used as a technical companion framework for AI Act compliance, with the OECD, ISO/IEC Working Group 42, G7 Code of Conduct, and the Council of Europe’s AI Convention increasingly mapping to NIST RMF principles. The critical infrastructure profile will likely become a de facto standard for demonstrating AI governance in regulated sectors.

Organizations operating in critical infrastructure should begin preparing now by conducting AI system inventories, mapping existing safety management systems to NIST AI RMF functions, and identifying AI-specific risks that fall outside traditional operational risk frameworks. The profile will provide a structured approach, but early adopters who have already begun this mapping work will be positioned to implement the guidance more rapidly when it is finalized.

Framework & Standards Updates

MITRE ATLAS Expands to 84 Techniques Across 16 Tactics

As of February 2026 (v5.4.0), the MITRE ATLAS knowledge base contains 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, and 42 case studies, up from 15 tactics and 66 techniques as of October 2025, with the November 2025 framework update (v5.1.0) expanding to 16 tactics and continued updates through February 2026 adding agentic AI techniques. The February 2026 v5.4.0 update added further agent-focused techniques including “Publish Poisoned AI Agent Tool” and “Escape to Host”, reflecting the evolving threat landscape as AI systems gain autonomous capabilities and tool access.

ISO 42001 and NIST AI RMF Integration Guidance

Multiple organizations published practical guidance on integrating ISO 42001 (the certifiable AI management system standard) with NIST AI RMF. The NIST AI RMF maps directly to ISO 42001 requirements: NIST Govern → ISO 42001 leadership and policy, NIST Map → ISO 42001 risk assessment, NIST Measure → ISO 42001 performance evaluation, and NIST Manage → ISO 42001 risk treatment, allowing organizations to implement NIST AI RMF as the risk management methodology inside an ISO 42001 management system without duplicative effort.

Colorado AI Act Affirmative Defense Provisions

The Colorado AI Act explicitly provides an affirmative defense for organizations that can demonstrate compliance with NIST AI RMF or equivalent frameworks, stating “Discovering a violation as a result of monitoring, testing or an internal review and curing it, is an affirmative defense if the deployer or developer was in compliance with the latest version of NIST AI Risk Management Framework and ISO/IEC 42001 or any other national or international framework that is substantially similar”. This establishes NIST AI RMF compliance as a legal safe harbor for the first time in U.S. state-level AI regulation.

Vulnerability Watch

CVE-2026-22778: vLLM Video Processing RCE (CVSS 9.8)

Severity: Critical
Affected versions: vLLM 0.8.3 through 0.14.0
Fixed in: vLLM 0.14.1
Attack vector: Network, unauthenticated
Impact: Remote code execution, full server compromise

Covered in detail in Top Stories. Organizations running vLLM with video model support must upgrade immediately or disable video endpoints.

CVE-2026-27893: vLLM Trust Remote Code Bypass (CVSS 8.8)

A high-severity Remote Code Execution vulnerability in vLLM published on March 27, 2026, carries a CVSS score of 8.8 and affects versions from 0.10.1 to prior to 0.18.0, allowing an attacker to achieve remote code execution by bypassing the user’s explicit security opt-out for remote code trust. Two specific model implementation files hardcode trust_remote_code=True when loading sub-components, overriding the user’s explicit —trust-remote-code=False flag and forcing the engine to execute code from untrusted sources. Patched in vLLM 0.18.0.

CVE-2026-32207: Azure Machine Learning XSS (CVSS High)

Improper neutralization of input during web page generation in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. Affects Azure Machine Learning notebook environments exposed to untrusted users. Microsoft patch released May 8, 2026.

PyTorch Lightning Supply Chain Compromise

Affected versions: PyTorch Lightning 2.6.2, 2.6.3
Date: April 30, 2026
Mitigated: Pin to version 2.6.1 or 2.6.4+
IOCs: Commit messages with “EveryBoiWeBuildIsAWormyBoi”, repos described as “A Mini Shai-Hulud has Appeared”

Covered in detail in Top Stories. Organizations should audit all environments where affected versions were installed and rotate credentials.

Industry Radar

Microsoft Announces MDASH Multi-Model Agentic Security System

Microsoft announced a major step forward in AI-powered cyber defense: a new multi-model agentic scanning harness (codenamed MDASH). The system discovered two critical pre-authentication RCE vulnerabilities in Windows (CVE-2026-33827 and CVE-2026-33824), both patched in April Patch Tuesday. The system achieved 96% recall on 28 MSRC cases spanning five years in clfs.sys and 100% recall on 7 MSRC cases in tcpip.sys, with the MSRC case database representing the ground truth for what real attackers exploited and what defenders had to react to.

OpenAI Launches Daybreak for AI-Powered Vulnerability Detection

OpenAI launched Daybreak, a new cybersecurity initiative that brings together frontier AI model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find them, combining the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and partners across the security flywheel. The announcement follows Anthropic’s Project Glasswing and represents the second major AI vendor to launch a defensive vulnerability discovery initiative using frontier models.

CrowdStrike 2026 Global Threat Report: 89% Rise in AI-Enabled Attacks

The CrowdStrike 2026 Global Threat Report recorded an 89% year-over-year rise in AI-enabled adversary activity, with 82% of detections malware-free. The shift toward fileless, AI-assisted attacks challenges traditional signature-based detection and underscores the need for behavioral analytics.

Kiteworks Report: 100% of Organizations Planning Agentic AI

The Kiteworks Data Security and Compliance Risk: 2026 Forecast Report found that while 100% of organizations have agentic AI on the roadmap, 63% cannot enforce purpose limits on agents, and 60% cannot terminate one that misbehaves. This governance gap represents a critical risk as organizations deploy autonomous systems.

Policy Corner

EU AI Act Enforcement Begins August 2026

Providers of general-purpose AI models must comply with obligations effective August 2, 2025; enforcement by the European Commission begins on August 2, 2026, and models already on the market before August 2, 2025 must comply by August 2, 2027. Organizations with EU operations should finalize conformity assessment processes now. Full text of the EU AI Act.

Colorado AI Act Creates NIST RMF Safe Harbor

The Colorado AI Act’s affirmative defense provision for NIST AI RMF compliance (covered in Framework Updates) establishes the first state-level legal incentive for framework adoption. Impact assessments are required by the effective date, then annually and within 90 days of modifications, with 3-year retention requirements.

State-Level AI Regulations Proliferate

A practical guide to state-level AI regulations taking effect in 2026 includes the Colorado AI Act, Texas TRAIGA, and California SB 53, requiring organizations operating across multiple states to build unified compliance strategies that map to multiple regulatory frameworks simultaneously.

Research Spotlight

Prompt Injection and Jailbreak Attacks in Large Language Model-Based Agents
Rizwan Tanveer, May 9, 2026

The agentic deployment context, which integrates retrieval, tool invocation, persistent memory, and the Model Context Protocol, has dramatically expanded the prompt-injection attack surface from 2023 to 2026, examining direct and indirect injection techniques, retrieval-augmented generation poisoning, Model Context Protocol vulnerabilities, and positioning prompt injection as a problem requiring defence-in-depth across input, retrieval, planning, tool execution, and output layers. The paper provides a comprehensive synthesis of the evolving threat landscape for AI agents.

Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review
Published January 7, 2026, Information

This comprehensive review synthesizes research from 2023 to 2025, analyzing 45 key sources, industry security reports, and documented real-world exploits, examining the taxonomy of prompt injection techniques including direct jailbreaking and indirect injection through external content, with the rise of AI agent systems and the Model Context Protocol dramatically expanding attack surfaces and introducing vulnerabilities such as tool poisoning and credential theft.

Analysis of LLMs Against Prompt Injection and Jailbreak Attacks
February 24, 2026, arXiv

Research finding that a zero-vulnerability score does not imply transparency or usability, with silent nonresponsiveness representing a hidden failure mode that may degrade user trust and system debuggability, and safety robustness being non-monotonic with model size, suggesting alignment strategy, safety layering, or refusal design are more important factors. The work evaluated multiple open-source LLMs including Phi, Mistral, DeepSeek-R1, Llama 3.2, Qwen, and Gemma variants.

A Survey on Adversarial Machine Learning: Attacks, Defenses, Real-World Applications
Neurocomputing, January 9, 2026

A comprehensive overview of adversarial machine learning synthesizing a broad body of research, presenting a systematic taxonomy of adversarial threats spanning the ML lifecycle, including training-time attacks such as data poisoning and backdoor insertion, as well as inference-time attacks such as evasion, model extraction, and privacy leakage. The survey addresses the full attack surface across training and inference phases.

Query-Efficient Decision-Based Adversarial Attack with Low Query Budget
Tuo et al., Scientific Reports, February 2, 2026

Existing decision-based attacks require thousands of queries to generate good quality adversarial examples, and this paper presents a novel decision-based attack one plane one query attack (OPOQA), which generates more candidate examples in each iteration for random exploration of the decision boundary, significantly improving query efficiency for black-box adversarial attacks.

What This Means For You

Patch vLLM deployments immediately if serving video models. CVE-2026-22778 represents an existential threat to organizations running vulnerable vLLM versions with multimodal capabilities. The exploit chain is public, requires no authentication, and enables full server compromise. If you cannot patch to 0.14.1 immediately, disable video endpoints, place vLLM behind authentication proxies, and restrict network access. This is not a “patch when convenient” vulnerability—it is a “patch or disconnect” situation.

Audit your ML supply chain for the PyTorch Lightning compromise. If your organization installed pytorch-lightning between April 30 and May 1, 2026, assume credential exposure and rotate all secrets accessible from those environments. The obfuscated payload executed on import, meaning simply installing the package was sufficient for compromise. Review CI/CD pipelines for injected workflows that may persist beyond package removal, and establish monitoring for the IOC patterns identified by Semgrep.

Treat NIST AI RMF compliance as a legal requirement, not a best practice. The Colorado AI Act’s affirmative defense provision fundamentally changes the compliance calculus. Organizations that can demonstrate NIST AI RMF or ISO 42001 compliance gain legal protection against certain AI-related violations. With the EU AI Act enforcement beginning August 2026 and state-level regulations proliferating, framework adoption is becoming table stakes. Start with a gap analysis against NIST AI RMF’s 72 subcategories and prioritize the Govern function—this is where most organizations have the largest gaps.

Recognize that prompt injection is not solved and may not be solvable at the LLM layer. This week’s research confirms what practitioners already know: prompt injection remains the top threat in OWASP’s LLM Top 10, and agentic systems with tool access have expanded the attack surface beyond what prompt-level defenses can address. Defense requires depth: input validation, retrieval sanitization, tool execution sandboxing, output filtering, and continuous monitoring. Organizations deploying AI agents must architect for compromise rather than assuming safety guardrails will hold.

Prepare for the shift from malware-based to AI-enabled, fileless attacks. CrowdStrike’s finding that 82% of detections are now malware-free represents a fundamental change in the threat landscape. Traditional endpoint detection focused on static indicators is increasingly blind to AI-assisted attacks that leverage legitimate tools, social engineering, and credential abuse. Security architectures must shift toward behavioral analytics, identity-based controls, and data-layer monitoring—the areas where AI-enabled attacks remain visible even when traditional signatures fail.

Tools and Resources

MITRE ATLAS Navigator — Interactive matrix visualization for exploring AI attack techniques and mitigations. Updated to v5.4.0 with 84 techniques across 16 tactics. Essential for threat modeling AI systems.

NIST AI RMF Playbook — Practical implementation guidance for the AI Risk Management Framework. The Trustworthy and Responsible AI Resource Center includes use cases, crosswalks to ISO 42001, and sector-specific guidance.

vLLM Security Advisories — Official repository of vLLM vulnerabilities. Organizations running vLLM should subscribe to notifications. Current list includes CVE-2026-22778, CVE-2026-27893, and multiple SSRF vulnerabilities.

OWASP LLM Top 10 (2025) — Updated risk framework for LLM applications. Prompt injection remains LLM01, with expanded guidance on indirect injection and agentic systems.

Giskard RAG Testing Framework — Open-source tool for evaluating retrieval-augmented generation security, including vector database poisoning detection and RAG-specific attack patterns.