{"vulnerability": "cve-2026-55615", "sightings": [{"uuid": "d6337746-81a4-424b-840d-37ba31a9d594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55615", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mpz2fhfwf72r", "content": "CVE-2026-55615 - langroid\nA vulnerability in Neo4jChatAgent allows hackers to read or delete all data in a Neo4j database, or even execute system commands on the server, by manipulating the input to the\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#langroid #pip #CVE #infosec", "creation_timestamp": "2026-07-06T21:38:04.253943Z"}, {"uuid": "0eaaf56b-1137-4907-84aa-80ed623a4b69", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-55615", "type": "published-proof-of-concept", "source": "https://github.com/langroid/langroid/security/advisories/GHSA-2pq5-3q89-j7cc", "content": "", "creation_timestamp": "2026-07-06T22:35:09.699096Z"}, {"uuid": "2502ff51-8917-49c1-bbf4-2d2057e15301", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55615", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqathrxe3k2q", "content": "CVE-2026-55615 - Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879\nCVE ID : CVE-2026-55615\n \n Published : July 9, 2026, 11:40 p.m. | 8\u00a0minutes a...", "creation_timestamp": "2026-07-09T23:55:24.321989Z"}, {"uuid": "4b8a023f-cb9d-4f8b-9fec-268788bd5f8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55615", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mqcscsg3zw2y", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-55615 \u0432 Langroid: \u0443\u0433\u0440\u043e\u0437\u044b \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/590A658C-12F7-4073-813B-2DA24BA79CDD", "creation_timestamp": "2026-07-10T18:40:02.848032Z"}, {"uuid": "e57ee7ef-6e04-49b2-8d6b-4a96f5323f06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55615", "type": "seen", "source": "https://t.me/bhhub/1201", "content": "Weekly 8 AI &amp; Cyber signals to act on (Jul 5\u201311, 2026)\n\n#AISecurity@bhhub\n\n\u2728 HalluSquatting Turns Agents\u2019 Invented URLs into a Transferable Botnet Vector\n\nResearchers found that coding agents hallucinate repository locations up to 85% of the time \u2014 reaching 100% for trending agent skills \u2014 with compromise rates approaching 80\u2013100% on OpenClaw variants. Agent-generated package and repository URLs must be treated as untrusted input: verify provenance, enforce allowlists, and isolate execution.\n\n\u2728 Agent Data Injection Attacks Work Through Realistic Workflows, Not Just Hidden Instructions\n\nNew research expands the attack surface beyond conventional indirect prompt injection by embedding malicious influence inside data that preserves the structure of material an agent expects to process. Filtering obvious instructions is insufficient; runtimes need provenance validation, semantic checks, and strict tool permissions.\n\n\u2728 \u201cRole Confusion\u201d Explains Why Forged Reasoning Bypasses Prompt-Injection Defenses\n\nPresented at ICML 2026, the research achieved 60% average StrongREJECT attack success and 61% agent-exfiltration success by making attacker content resemble trusted model reasoning, versus near-zero baselines. Consequential authorization must be enforced outside the model.\n\n#AppSec@bhhub\n\n\u2728 Friendly Fire Makes Autonomous Security Reviewers Execute the Code They Inspect\n\nA proof of concept against stock Claude Code and Codex autonomous review modes used ordinary repository documentation to make the agents execute an attacker-controlled binary without additional approval. Review agents should inspect third-party code only inside disposable, credential-free environments.\n\n\u2728 Langroid Prompt-to-Cypher Injection Can Escalate from Graph Destruction to Host Access\n\nCVE-2026-55615 lets attacker-influenced prompts reach Neo4j as unvalidated Cypher through Langroid\u2019s Neo4jChatAgent, enabling data theft or destruction and \u2014 with dangerous procedures enabled \u2014 OS-command and filesystem access. LLM-generated queries require parameterization, validation, and least-privilege controls.\n\n#RedTeam@bhhub\n\n\u2728 JADEPUFFER Shows Ransomware\u2019s Technical Execution Loop Can Be Delegated to an AI Agent\n\nSysdig observed an LLM-driven extortion chain exploiting Langflow, harvesting credentials, moving laterally, establishing persistence, encrypting a production database, and adapting when actions failed. A human still selected and initiated the target, but AI handled much of the multi-stage technical execution.\n\n#BlueTeam@bhhub\n\n\u2728 SOCBench Exposes the False-Positive and Inference-Cost Limits of LLM Detection\n\nIn an open NetFlow benchmark, tested LLM stacks classified 36% of benign traffic as malicious, while processing one million alerts daily with the cheapest measured configuration would cost approximately $57,000 per day. Evaluate AI detections on real noisy telemetry and measure analyst workload and cost \u2014 not accuracy alone.\n\n\u2728 DetectionForge Converts Threat Intelligence into SIEM Rules with a 0.750 Evaluation Score\n\nThe new open-source agent turns threat reports into deployable detection logic and scored 0.750 in its CTI-to-rule evaluation, compared with the 0.637 best-frontier-model baseline reported by CTI-REALM. It keeps the model out of final approval \u2014 a useful pattern for AI-generated Sigma, YARA, and SIEM rules.", "creation_timestamp": "2026-07-14T12:00:05.127856Z"}, {"uuid": "976fdb0b-c710-4e3a-bc36-b544e26f0717", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55615", "type": "published-proof-of-concept", "source": "https://t.me/bhhub/1201", "content": "Weekly 8 AI &amp; Cyber signals to act on (Jul 5\u201311, 2026)\n\n#AISecurity@bhhub\n\n\u2728 HalluSquatting Turns Agents\u2019 Invented URLs into a Transferable Botnet Vector\n\nResearchers found that coding agents hallucinate repository locations up to 85% of the time \u2014 reaching 100% for trending agent skills \u2014 with compromise rates approaching 80\u2013100% on OpenClaw variants. Agent-generated package and repository URLs must be treated as untrusted input: verify provenance, enforce allowlists, and isolate execution.\n\n\u2728 Agent Data Injection Attacks Work Through Realistic Workflows, Not Just Hidden Instructions\n\nNew research expands the attack surface beyond conventional indirect prompt injection by embedding malicious influence inside data that preserves the structure of material an agent expects to process. Filtering obvious instructions is insufficient; runtimes need provenance validation, semantic checks, and strict tool permissions.\n\n\u2728 \u201cRole Confusion\u201d Explains Why Forged Reasoning Bypasses Prompt-Injection Defenses\n\nPresented at ICML 2026, the research achieved 60% average StrongREJECT attack success and 61% agent-exfiltration success by making attacker content resemble trusted model reasoning, versus near-zero baselines. Consequential authorization must be enforced outside the model.\n\n#AppSec@bhhub\n\n\u2728 Friendly Fire Makes Autonomous Security Reviewers Execute the Code They Inspect\n\nA proof of concept against stock Claude Code and Codex autonomous review modes used ordinary repository documentation to make the agents execute an attacker-controlled binary without additional approval. Review agents should inspect third-party code only inside disposable, credential-free environments.\n\n\u2728 Langroid Prompt-to-Cypher Injection Can Escalate from Graph Destruction to Host Access\n\nCVE-2026-55615 lets attacker-influenced prompts reach Neo4j as unvalidated Cypher through Langroid\u2019s Neo4jChatAgent, enabling data theft or destruction and \u2014 with dangerous procedures enabled \u2014 OS-command and filesystem access. LLM-generated queries require parameterization, validation, and least-privilege controls.\n\n#RedTeam@bhhub\n\n\u2728 JADEPUFFER Shows Ransomware\u2019s Technical Execution Loop Can Be Delegated to an AI Agent\n\nSysdig observed an LLM-driven extortion chain exploiting Langflow, harvesting credentials, moving laterally, establishing persistence, encrypting a production database, and adapting when actions failed. A human still selected and initiated the target, but AI handled much of the multi-stage technical execution.\n\n#BlueTeam@bhhub\n\n\u2728 SOCBench Exposes the False-Positive and Inference-Cost Limits of LLM Detection\n\nIn an open NetFlow benchmark, tested LLM stacks classified 36% of benign traffic as malicious, while processing one million alerts daily with the cheapest measured configuration would cost approximately $57,000 per day. Evaluate AI detections on real noisy telemetry and measure analyst workload and cost \u2014 not accuracy alone.\n\n\u2728 DetectionForge Converts Threat Intelligence into SIEM Rules with a 0.750 Evaluation Score\n\nThe new open-source agent turns threat reports into deployable detection logic and scored 0.750 in its CTI-to-rule evaluation, compared with the 0.637 best-frontier-model baseline reported by CTI-REALM. It keeps the model out of final approval \u2014 a useful pattern for AI-generated Sigma, YARA, and SIEM rules.", "creation_timestamp": "2026-07-15T00:00:24.906977Z"}]}