CISO Daily Briefing
Cloud Security Alliance AI Safety Initiative — Intelligence Report
Executive Summary
The 48-hour window ending May 7 is defined by two converging crises: PAN-OS CVE-2026-0300, a CVSS 9.3 unauthenticated RCE added to CISA’s Known Exploited Vulnerabilities catalog with a federal deadline of May 9 but no patch until May 13, forces immediate configuration controls on every exposed Palo Alto firewall. Simultaneously, AI infrastructure has become a high-speed attack surface — LMDeploy CVE-2026-33626 was weaponized within 13 hours of disclosure, and an Intruder scan found 1 million exposed AI services with 31% of Ollama instances unauthenticated. On the governance side, CISA and Five Eyes allies published the first coordinated agentic AI guidance, while NIST’s NVD formally suspended enrichment for the majority of CVEs — leaving enterprises facing AI agents acting on vulnerabilities that have no severity scores.
Overnight Research Output
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated RCE with No Patch Available
CRITICAL URGENCY
Summary: CVE-2026-0300 is a CVSS 9.3 buffer overflow in the PAN-OS User-ID Authentication Portal enabling unauthenticated root-level code execution on PA-Series and VM-Series firewalls. CISA added it to the KEV catalog on May 6 with a mandatory federal remediation deadline of May 9 — but Palo Alto does not expect a patch until May 13. Any organization with the Captive Portal exposed to the internet has no mitigating patch available and must rely entirely on configuration controls under active exploitation conditions.
Required Action: Immediately audit whether the PAN-OS Captive Portal / Authentication Portal is internet-accessible. If so, restrict access to trusted IP ranges via policy. Monitor Palo Alto’s security advisory for the May 13 patch release and prioritize emergency deployment.
The Hacker News — Palo Alto PAN-OS Flaw Under Active Exploitation
BleepingComputer — Palo Alto Networks Warns of Actively Exploited Firewall Zero-Day
Wiz — Critical Vulnerability in PAN-OS Exploited in the Wild
Rapid7 ETR — Critical Buffer Overflow in PAN-OS User-ID Authentication Portal
LMDeploy CVE-2026-33626: AI Inference Toolkit Weaponized in 13 Hours
CRITICAL URGENCY
Summary: CVE-2026-33626 is a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, an open-source LLM inference and serving toolkit widely used for self-hosted model deployments. The Sysdig Threat Research Team observed the first exploitation attempt against their honeypot fleet just 12 hours and 31 minutes after the GitHub advisory went live — leaving enterprise security teams no realistic window to patch before attackers probe for cloud metadata access, internal network pivots, and credential theft. The vulnerability affects all LMDeploy versions up to 0.12.0 with vision language support enabled.
Broader Pattern: This incident documents a now-repeatable attack pattern: AI-specific infrastructure CVEs are exploited on significantly compressed timescales compared to traditional enterprise software, and most organizations lack AI-aware vulnerability scanning or runtime monitoring for inference servers, model gateways, and agent orchestration tools.
The Hacker News — LMDeploy CVE-2026-33626 Flaw Exploited
Sysdig — How Attackers Exploited LMDeploy LLM Inference Engines in 12 Hours
Self-Hosted AI Infrastructure: 1 Million Exposed, Security Posture Deteriorating
HIGH URGENCY
Summary: Intruder’s scan of 2 million certificate-transparency hosts found over 1 million exposed AI services. Of exposed Ollama API instances, 31% answered queries without any authentication — up from 18% in September 2025. Security posture is not improving as adoption scales; it is degrading. Beyond inference APIs, the scan found Claude-powered chatbots exposing API keys in plaintext, agent management platforms (n8n, Flowise) accessible without authentication, and model assets open to theft or poisoning.
Root Cause: The deterioration is directly attributable to the speed of enterprise AI adoption and the absence of secure-by-default configurations in most open-source AI serving frameworks. Developers deploying Ollama, LM Studio, and OpenWebUI routinely bypass security review, and the tooling defaults do not enforce authentication.
The Hacker News — We Scanned 1 Million Exposed AI Services
Intruder Research — Exposed AI Infrastructure Is Rampant
Security Boulevard — How Attackers Find and Exploit Misconfigured AI Deployments
Agentic AI Governance Becomes Institutional: CISA Guide + NIST CAISI Agreements
GOVERNANCE
Summary: Two significant governance developments landed within five days. On May 1, CISA and international partners including Australian Signals Directorate and Five Eyes affiliates published “Careful Adoption of Agentic AI Services” — the first coordinated multinational guidance document specifically addressing enterprise deployment risks of agentic AI: privilege creep, behavioral misalignment, expanded attack surface, and accountability gaps in agent decision chains. On May 5, NIST’s CAISI formalized pre-deployment national security evaluation agreements with Google DeepMind, Microsoft, and xAI, building on prior agreements with Anthropic and OpenAI. CAISI has now completed 40+ evaluations, including assessments of unreleased models with safety guardrails removed.
Strategic Implication: These developments signal that U.S. and allied governments are shifting from reactive AI governance commentary to institutionalized pre-deployment evaluation infrastructure. Enterprise compliance expectations and vendor accountability norms are moving with them. Organizations adopting AI agents should anticipate that the risk taxonomy in the CISA guidance — privilege creep, behavioral misalignment, structural failure modes — will become the baseline for audits and procurement diligence.
CISA — Release of Guide for Secure Adoption of Agentic AI Services
DoD/CISA — Careful Adoption of Agentic AI Services (Full PDF)
NIST — CAISI Signs Agreements for Frontier AI National Security Testing
Axios — U.S. Frontier AI Testing as White House Pivots on Safety
CyberScoop — CISA, NSA, Five Eyes Guidance on Secure Deployment of AI Agents
Dual Visibility Crisis: Ungoverned AI Agents and NVD Enrichment Collapse
STRATEGIC RISK
Summary: Two systemic failures are converging. First, Gartner’s inaugural Market Guide for Guardian Agents found 70% of enterprises already run AI agents in production with governance controls lagging — agents operate continuously, span applications, acquire permissions opportunistically, and generate identity activity at machine speed, creating what Orchid Security terms “identity dark matter”: unmanaged AI agent identities invisible to traditional IAM systems. Second, NIST formally acknowledged it can no longer enrich the majority of CVEs submitted to the National Vulnerability Database, following a 263% surge in CVE volume since 2020. Starting April 15, only CVEs in CISA’s KEV catalog, federal government software, or EO 14028 critical software receive NIST enrichment.
Compound Risk: Enterprises are increasingly reliant on AI agents operating with unverified entitlements inside environments where a growing fraction of known vulnerabilities carry no enrichment context. Neither crisis alone is novel; their convergence creates a systemic accountability gap that no existing governance framework has addressed. CSA’s AICM and MAESTRO frameworks are directly applicable to both failure modes and should inform the whitepaper framing.
The Hacker News — Your AI Agents Are Already Inside Your Systems
The Hacker News — 5 Learnings from the First-Ever Gartner Guardian Agents Guide
The Hacker News — NIST Limits CVE Enrichment After 263% Volume Growth
NIST — NIST Updates NVD Operations to Address Record CVE Growth
Help Net Security — NIST NVD Enrichment Changes: What You Need to Know
Apiiro — Gartner Report on Guardian Agents Signals a New Era for AI Governance
Notable News & Signals
DAEMON Tools Supply Chain Attack (Chinese-Linked, Signed Backdoor)
A Chinese-linked threat actor backdoored DAEMON Tools installer binaries with a signed payload active since April 8, targeting government and scientific entities. A supply chain attack with verified signing and a month-long dwell time before detection. CSA’s 9 supply chain security documents cover the general category; the AI/ML tool angle remains unaddressed.
GitHub CVE-2026-3854: Critical RCE via Git Push
Critical remote code execution vulnerability in GitHub.com and GitHub Enterprise Server, triggered via a crafted git push. Significant for DevSecOps pipelines but without a clear AI workflow angle, adequately covered by existing DevSecOps vulnerability management guidance.
OAuth Token Sprawl and AI Agent OAuth Grant Risk
Growing evidence that AI agents are generating OAuth grant activity at machine speed, creating token sprawl invisible to traditional IAM audit tools. Partially captured in Topic 5’s identity dark matter framing; the OAuth-specific mechanics are worth monitoring for a dedicated follow-up if the pattern continues.
Copy Fail CVE-2026-31431: Linux Kernel LPE Under Active Exploitation
Local privilege escalation in the Linux kernel confirmed exploited by CISA and added to KEV. Important for Linux-based infrastructure (including most AI inference servers) but covered adequately by generic vulnerability management guidance without a distinct AI angle.
Topics Already Covered — No New Action Required
- AI Regulatory Landscape & Framework Overview: Covered by ai-frameworks-regulatory-landscape-executive-whitepaper. The CISA agentic AI guide (Topic 4) is distinct enough — operational guidance vs. regulatory landscape — to warrant a separate note.
- General Supply Chain Security: DAEMON Tools supply chain attack is significant but primarily a traditional software supply chain incident. CSA has 9 supply chain documents. A note would be warranted only if focused specifically on AI/ML tool supply chain risks.
- General IAM and Zero Trust: OAuth token sprawl and AI agent OAuth grant risk partially overlap with CSA’s 44 IAM documents; the more novel angle is fully captured in Topic 5’s identity dark matter framing.
- GitHub CVE-2026-3854 RCE: Critical RCE via git push is significant for DevSecOps but does not add to CSA’s AI safety focus without a clear AI workflow angle.
- Copy Fail CVE-2026-31431 (Linux LPE): Confirmed exploited but covered adequately by existing generic vulnerability management guidance; no distinct AI angle identified.