Collapse of Patch Windows: Attackers are analyzing advisories and developing exploits within 10–24 hours

As of April 2026, the landscape of open-source AI vulnerabilities is dominated by critical Remote Code Execution (RCE) flaws in agentic frameworks, inference servers, and developer tools. The rapid exploitation of these vulnerabilities—often within hours of disclosure—has made supply chain and orchestration security a top concern. Cloud Security Alliance (CSA) +1

Here are the top CVEs and security incidents in open-source AI from early 2026:

1. Marimo Notebook Unauthenticated RCE (CVE-2026-39987) 

• Status: Critical (CVSS 9.3)
• Details: Disclosed April 8, 2026, this flaw in the Marimo reactive Python notebook allowed unauthenticated attackers to gain a full interactive shell (root) via the terminal WebSocket (/terminal/ws) in one request.
• Impact: Exploitation was observed within 10 hours, with attackers targeting cloud provider credentials and LLM API keys stored in environment files. Cloud Security Alliance (CSA)

2. SGLang RCE via GGUF Models (CVE-2026-5760) 

• Status: Critical (CVSS 9.8)
• Details: Disclosed April 20, 2026, this vulnerability in the SGLang high-performance serving framework allows RCE through specially crafted GGUF model files via the /v1/rerank endpoint. The Hacker News

3. Langflow Unauthenticated RCE (CVE-2026-33017)

• Status: Critical (CVSS 9.8)
• Details: Reported in late March/early April 2026, this flaw enabled attackers to inject Python code through the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, affecting versions prior to 1.9.0.
• Impact: Actively exploited within 20 hours to harvest .env files and API keys. Greenbone

4. MetaGPT SSRF and RCE Vulnerabilities

• CVE-2026-6111: High-severity Server-Side Request Forgery (SSRF) in the decode_image function, allowing attackers to probe internal networks.
• CVE-2026-6110 / CVE-2026-5974: Multiple RCE vulnerabilities via command injection and code execution in the multi-agent framework. SentinelOne

5. MaxKB AI Assistant RCEs (CVE-2026-39417/39424) 

• Status: Critical
• Details: Multiple RCE vulnerabilities (CVE-2026-39417, CVE-2026-39424) affecting MaxKB (versions 2.7.1 and below) were disclosed in April 2026. These allowed formula injection and MCP node exploitation, bypassing previous security fixes. SentinelOne +1

6. Flowise RCE (CVE-2025-59528)

• Status: Critical
• Details: While disclosed in 2025, this CVEremained a major threat in April 2026, with reports of active exploitation of node code injection flaws in the popular drag-and-drop LLM orchestrator. OWASP Gen AI Security Project +1

7. LiteLLM Supply Chain Breach (March-April 2026) 

• Details: A supply-chain compromise affecting LiteLLM updates impacted AI data operations, raising fears of proprietary training-data exposure. It was linked to a breach at a major AI data vendor. OWASP Gen AI Security Project

Key Trends (April 2026)

• “Root in One Request”: Many vulnerabilities now allow unauthenticated, instant RCE, such as the Marimo case.
• Collapse of Patch Windows: Attackers are analyzing advisories and developing exploits within 10–24 hours, often before public proof-of-concept code exists.
• Focus on AI Developer Tools: Security tools like Trivy (CVE-2026-33634) and developer environments (Marimo, Langflow) are being targeted to steal credentials and compromise systems further upstream.
• Agentic Framework Vulnerabilities: OpenClaw and CrewAI have seen multiple vulnerabilities that allow attackers to chain prompt injections into RCE and SSRF. Adversa AI +4

Note: The results are based on an analysis of AI security reports and CVE databases up to April 24, 2026.