Security Roundup Feb 10–16 2026: AI Infrastructure Under Fire, Cloud Misconfigs & $4.3M in Bug Bounties

🚨 Breaking News Recap: Two Critical CVEs in 72 Hours

CVE-2026-22778 — vLLM Remote Code Execution (CVSS 9.8)

On Tuesday February 10, Orca Security disclosed a critical unauthenticated RCE in vLLM, the most widely deployed framework for serving large language models. CVSS score: 9.8. No authentication, no user interaction, no privileges required.

The two-stage exploit chain is elegant and sobering: a malformed image upload triggers a PIL error message that leaks heap memory addresses (ASLR bypass), then a crafted JPEG2000 video triggers an integer-overflow heap corruption that pivots into code execution. Any internet-exposed vLLM instance running below version 0.14.1 is fully compromised in two HTTP requests.

Why it matters for bug hunters: Thousands of AI startups, research labs, and enterprise teams deployed vLLM servers throughout 2025 with default (unauthenticated) configurations. This is exactly the kind of discovery that yields five-figure bounties when found responsibly on in-scope AI infrastructure. Version fingerprinting alone — without triggering the exploit — is sufficient for a credible bug report.

→ Read the full technical breakdown

CVE-2026-25049 — n8n: Six CVEs in 48 Hours (CVSS 9.4)

On Wednesday February 11, the n8n workflow automation platform disclosed six vulnerabilities simultaneously, the most severe being CVE-2026-25049 (CVSS 9.4): a type-confusion sandbox escape enabling remote code execution. The full list:

• CVE-2026-25049 (CVSS 9.4) — Type-confusion JavaScript sandbox escape → RCE
• CVE-2026-25051 (CVSS 8.5) — XSS in webhook responses
• CVE-2026-25052 (CVSS 9.4) — Arbitrary file read via TOCTOU race condition
• CVE-2026-25053–25055 — Command injection, authentication bypass, path traversal

Root cause across all six: insufficient permission checks on internal APIs. Upwind's disclosure notes that the n8n self-hosted market has expanded rapidly as teams automate with AI agents — the same growth pattern as vLLM. Fix: upgrade to 1.123.17+ or 2.5.2+.

→ Read the full n8n analysis

☁️ Cloud & Serverless: The Invisible Attack Surface

CVE-2026-21532 — Azure Functions Information Disclosure (CVSS 8.5)

Disclosed February 5 as part of Microsoft's pre-Patch-Tuesday advisories, CVE-2026-21532 allows unauthenticated remote access to secrets, configuration files, and environment variables stored within Azure Functions deployments. Attack vector: network, low complexity, no privileges. Root cause: CWE-200 (Improper Exposure of Sensitive Information).

Microsoft classifies this as "fully mitigated" on their end — meaning the platform fix has been applied — but strongly recommends:

• Integrate Functions with Azure Virtual Networks or private endpoints
• Enable IP restrictions and Azure AD authentication at the function-app level
• Audit environment variables for secrets (use Azure Key Vault references instead)
• Monitor HTTP access logs for anomalous enumeration patterns

Bug hunter angle: Any API that exposes environment variables is a credential-harvest goldmine. When testing Azure-hosted targets, probe function app metadata endpoints and look for error responses that echo back config data. This is especially common in teams that lifted-and-shifted from on-premises environments where env-vars were considered "safe."

Microsoft Patch Tuesday — 61 Vulnerabilities (February 10)

The February 2026 Patch Tuesday patched 61 CVEs across the Microsoft portfolio. Highlights relevant to security researchers:

• CVE-2026-24300 — Azure Front Door elevation of privilege (fully mitigated)
• CVE-2026-21522 — Azure Compute Gallery command injection (ACI Confidential Containers)
• CVE-2026-23655 — Azure ACI information disclosure (secret tokens and API keys exposed)
• GitHub Copilot / VS Code / Visual Studio / JetBrains — RCE via command injection in AI prompt processing, exposing API keys
• CVE-2026-0488 — SAP CRM code injection (CVSS 9.9) — notable severity even outside the Azure ecosystem

The GitHub Copilot / IDE RCEs deserve special attention: they represent a new class of attack where malicious content in AI prompts or code suggestions triggers command execution in the developer's local environment. Responsible disclosure opportunities here are underexplored.

Real-World AWS AI-Assisted Cloud Breach (February 4)

Security researchers detailed a post-incident analysis of a cloud breach that unfolded in under 10 minutes. Attack path:

1. Attacker discovers IAM credentials leaked into a public S3 bucket
2. Credentials used to list and read additional S3 objects, exposing Lambda function source code
3. Lambda code injected with privilege escalation payload → admin access to 19 AWS principals
4. Bedrock API (Claude, Llama models) abused to burn GPU quotas; Secrets Manager and SSM parameters exfiltrated

Forensic analysis identified Serbian-language comments in the payload and LLM-characteristic code patterns, suggesting AI-assisted attack tooling. The breach exploited zero AWS service vulnerabilities — every step used misconfiguration and leaked credentials.

Defensive checklist:

• Run S3 bucket access analyzer monthly — assume any public bucket is already read
• Store secrets in Secrets Manager or SSM, never in code or environment variables
• Apply least-privilege IAM: Lambda execution roles need only the permissions they use
• Enable AWS GuardDuty — the Bedrock API abuse would have triggered anomaly detection
• Rotate credentials on any access pattern change, not just on breaches

🔧 Framework & Platform CVEs Worth Testing

CVE-2025-14550 — Django ASGI Denial-of-Service

Disclosed February 3 and patched in Django 6.0.2, 5.2.11, and 4.2.28, this moderate-severity DoS affects the ASGIRequest handler. Sending a request with many duplicate headers triggers quadratic CPU usage through repeated string concatenation — a classic algorithmic complexity attack (ReDoS cousin).

Discovered by Jiyong Yang and reported via HackerOne. The fix replaces the naive concatenation with an efficient multi-value header structure. Testing approach: Send 200+ duplicate X-Forwarded-For or custom headers; measure response time degradation. Anything scaling super-linearly is worth reporting.

CVE-2026-1504 — Chrome Background Fetch API Cross-Origin Data Leak

Google patched this in Chrome 144.0.7559.110. The Background Fetch API could be abused to bypass same-origin policy restrictions, leaking cross-origin response data to the initiating site. Relevant for bug hunters targeting browser-based web apps: check if targets use Background Fetch for any caching or prefetch logic.

SAP Commerce Cloud API Exposure (CVE-2026-24321)

Low confidentiality-impact but high practical risk: unauthenticated access to multiple SAP Commerce Cloud API endpoints exposed private personal information not intended for frontend consumption. Root cause: CWE-359 (Exposure of Private Personal Information to Unauthorized Actor). Classic API surface area failure — enumerate undocumented endpoints and probe for missing auth headers.

Chainlit AI Framework — Cloud Credential Theft

Two CVEs in the Chainlit AI framework (previously detailed in our ChainLeak analysis) continued to generate impact this week as new deployments were identified. CVE-2026-22218 (arbitrary file read) chains with CVE-2026-22219 (SSRF to AWS IMDS) to yield full AWS credential extraction in under two minutes on unpatched instances.

💰 Bug Bounty Landscape: Platform Updates & Key Disclosures

HackerOne: $4.3M Paid in Live Hacking Events

HackerOne announced $4.3M in bounties paid through their Live Hacking Events program in February 2026 — the highest single-month total to date. Live Hacking Events give top-tier researchers access to in-scope assets during a concentrated window, with companies paying premium rates for time-critical findings.

Separately, a concerning internal incident: a HackerOne employee was caught stealing vulnerability reports — reading private disclosures and submitting duplicate claims for personal bounty payouts. HackerOne confirmed the incident, terminated the employee, and stated all affected programs were notified. This is a reminder that your private reports are not visible only to the program team.

Platform Updates

• Bugcrowd: Launched "Security Inbox" — AI-assisted triage that pre-classifies incoming reports by severity, de-duplicates submissions, and surfaces signal from noise. Expect faster response times on managed programs going forward.
• Chime: Running double P1 bounties through end of February. Focus areas: authentication failures and access control issues. Strong time-to-payout reputation — worth targeting if auth/authz is your specialty.
• Vercel: Launched a new OSS bug bounty program on HackerOne covering the Next.js ecosystem. Cloud hosting platforms with massive OSS install bases are high-value targets — React/Next.js supply-chain bugs often affect millions of downstream deployments.

Notable Disclosures This Week

• Django user enumeration via timing attack in mod_wsgi (HackerOne, stackered)
• GoCD information disclosure via Logback injection (aigirl)
• curl MQTT packet injection (pajarori)
• Nextcloud WebAuthn public key validation issue (se1en)
• LinkedIn comment permission bypass + premium feature access control failure (two separate reports, both paid)

The LinkedIn pair is interesting: two distinct reporters found related access control issues in the same week, suggesting their API authorization layer was in a state of flux. When one BOLA/IDOR surfaces on a target, probe adjacent API endpoints immediately — the root cause is usually systematic, not isolated.

📈 Trends: Five Patterns Defining 2026

Looking across this week's findings, five attack patterns keep surfacing:

1. AI infrastructure as primary attack surface. vLLM, Chainlit, GitHub Copilot, AWS Bedrock abuse — every major disclosure this week touched AI tooling. Teams deploying LLM infrastructure are skipping the security basics: authentication, network segmentation, least-privilege access.
2. Cloud credentials exposed in code. The AWS breach, Azure Functions CVE, and Chainlit SSRF all hinge on secrets ending up where they shouldn't. Secrets management is still failing at scale despite years of tooling improvement.
3. Insufficient permission checks on internal APIs. n8n's six CVEs, SAP Commerce, and Azure Compute Gallery all share the same root cause: internal API routes trusted by default, bypassed by external callers. Test every API endpoint you can discover, not just the documented ones.
4. Serverless blind spots. Azure Functions, AWS Lambda, ACI containers — serverless architectures abstract away the server but not the vulnerabilities. They introduce new failure modes: environment variable exposure, IAM role misconfiguration, and cold-start injection windows.
5. AI-assisted attacks accelerating. The AWS breach (10 minutes from cred discovery to 19 principals compromised) used what forensics identified as AI-assisted tooling. Attack automation is outpacing human-speed detection. GuardDuty, Defender for Cloud, and equivalent monitoring are no longer optional.

🛠️ Essential Tools This Week

If this week's findings motivate you to level up, these are the tools worth the investment:

📚 Books to Go Deeper

The CVE classes covered this week map directly to these titles. If any section of this roundup surfaced a gap in your knowledge, these are the books that fill it:

Key Takeaways for the Week

• AI infrastructure is the 2026 gold rush target. vLLM, Chainlit, Copilot — study the patterns. Default-unauthenticated deployments = high-probability finds in AI-focused programs.
• Cloud misconfigurations continue to enable full compromises. The 10-minute AWS breach is reproducible on thousands of targets today. If you're hunting cloud programs, IAM enumeration and S3 bucket analysis deliver consistent results.
• n8n and workflow automation platforms are the new attack surface. Upgrade to 1.123.17+ / 2.5.2+ immediately if self-hosting. If hunting, check for older pinned versions in CI/CD environments.
• Protect your own accounts first. The HackerOne internal breach is a reminder that your private vulnerability reports have real value. Hardware MFA on every platform that holds research data is non-negotiable.
• $4.3M in a single Live Hacking Event week signals that bounty budgets are growing. Chime's double P1 offer and Vercel's new OSS program are time-sensitive opportunities worth acting on now.

New roundup every Monday. If you found this useful, bookmark the articles index or share the specific CVE breakdowns with your team.

References & Further Reading

• CVE-2026-22778 — NVD
• CVE-2026-25049 — NVD
• CVE-2026-21532 — NVD
• Microsoft Security Response Center — February 2026 Patch Tuesday
• Django Security Releases
• HackerOne Live Hacking Events
• OWASP API Security Top 10