<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0">
  <channel>
    <title>InfoQ - Security Vulnerabilities</title>
    <link>https://www.infoq.com</link>
    <description>InfoQ Security Vulnerabilities feed</description>
    <item>
      <title>BadHost Vulnerability Exposes AI Agents, Evaluators, and LLM Gateways</title>
      <link>https://www.infoq.com/news/2026/06/badhost-ai-systems-vulnerability/?utm_campaign=infoq_content&amp;utm_source=infoq&amp;utm_medium=feed&amp;utm_term=Security+Vulnerabilities</link>
      <description>&lt;img src="https://res.infoq.com/news/2026/06/badhost-ai-systems-vulnerability/en/headerimage/badhost-ai-vulnerability-1780322270507.jpeg"/&gt;&lt;p&gt;BadHost is a high-severity authentication bypass vulnerability in the widely used Python web framework Starlette, with 325 million weekly downloads. The flaw allows attackers to use malformed HTTP Host headers to bypass path-based access controls and access sensitive AI agent infrastructure, among other systems.&lt;/p&gt; &lt;i&gt;By Sergio De Simone&lt;/i&gt;</description>
      <category>Open Source</category>
      <category>Python</category>
      <category>Security Vulnerabilities</category>
      <category>Agents</category>
      <category>AI, ML &amp; Data Engineering</category>
      <category>DevOps</category>
      <category>Development</category>
      <category>news</category>
      <pubDate>Mon, 01 Jun 2026 14:00:00 GMT</pubDate>
      <guid>https://www.infoq.com/news/2026/06/badhost-ai-systems-vulnerability/?utm_campaign=infoq_content&amp;utm_source=infoq&amp;utm_medium=feed&amp;utm_term=Security+Vulnerabilities</guid>
      <dc:creator>Sergio De Simone</dc:creator>
      <dc:date>2026-06-01T14:00:00Z</dc:date>
      <dc:identifier>/news/2026/06/badhost-ai-systems-vulnerability/en</dc:identifier>
    </item>
    <item>
      <title>A Trailing Slash Bypassed AWS API Gateway Authorization</title>
      <link>https://www.infoq.com/news/2026/06/aws-api-gateway-auth-bypass/?utm_campaign=infoq_content&amp;utm_source=infoq&amp;utm_medium=feed&amp;utm_term=Security+Vulnerabilities</link>
      <description>&lt;img src="https://res.infoq.com/news/2026/06/aws-api-gateway-auth-bypass/en/headerimage/generatedHeaderImage-1779890404425.jpg"/&gt;&lt;p&gt;A security researcher found that adding a trailing slash to AWS HTTP API paths bypassed Lambda authorizer authentication entirely, enabling unauthenticated wire transfers at a fintech. The root cause is a path normalization mismatch between HTTP API's greedy route matching and its authorization layer. The same vulnerability class appeared in gRPC-Go via CVE-2026-33186.&lt;/p&gt; &lt;i&gt;By Steef-Jan Wiggers&lt;/i&gt;</description>
      <category>Cloud</category>
      <category>Application Security</category>
      <category>API Gateway</category>
      <category>AWS Lambda</category>
      <category>AWS</category>
      <category>Security Vulnerabilities</category>
      <category>DevOps</category>
      <category>Development</category>
      <category>Architecture &amp; Design</category>
      <category>news</category>
      <pubDate>Mon, 01 Jun 2026 09:55:00 GMT</pubDate>
      <guid>https://www.infoq.com/news/2026/06/aws-api-gateway-auth-bypass/?utm_campaign=infoq_content&amp;utm_source=infoq&amp;utm_medium=feed&amp;utm_term=Security+Vulnerabilities</guid>
      <dc:creator>Steef-Jan Wiggers</dc:creator>
      <dc:date>2026-06-01T09:55:00Z</dc:date>
      <dc:identifier>/news/2026/06/aws-api-gateway-auth-bypass/en</dc:identifier>
    </item>
    <item>
      <title>Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools</title>
      <link>https://www.infoq.com/news/2026/05/arm-metis-agentic-security/?utm_campaign=infoq_content&amp;utm_source=infoq&amp;utm_medium=feed&amp;utm_term=Security+Vulnerabilities</link>
      <description>&lt;img src="https://res.infoq.com/news/2026/05/arm-metis-agentic-security/en/headerimage/arm-metis-1780165811953.jpeg"/&gt;&lt;p&gt;Arm has open-sourced Metis, an agentic AI security framework designed to autonomously uncover complex software vulnerabilities. Unlike traditional pattern-based tools, Metis applies semantic reasoning to analyze cross-component dependencies and provides clear, natural language explanations for its findings.&lt;/p&gt; &lt;i&gt;By Sergio De Simone&lt;/i&gt;</description>
      <category>Open Source</category>
      <category>Static Analysis</category>
      <category>Large language models</category>
      <category>ARM</category>
      <category>Security</category>
      <category>Security Vulnerabilities</category>
      <category>Agents</category>
      <category>AI, ML &amp; Data Engineering</category>
      <category>DevOps</category>
      <category>Development</category>
      <category>news</category>
      <pubDate>Sat, 30 May 2026 19:00:00 GMT</pubDate>
      <guid>https://www.infoq.com/news/2026/05/arm-metis-agentic-security/?utm_campaign=infoq_content&amp;utm_source=infoq&amp;utm_medium=feed&amp;utm_term=Security+Vulnerabilities</guid>
      <dc:creator>Sergio De Simone</dc:creator>
      <dc:date>2026-05-30T19:00:00Z</dc:date>
      <dc:identifier>/news/2026/05/arm-metis-agentic-security/en</dc:identifier>
    </item>
  </channel>
</rss>
