ai-scanner RCE via JavaScript injection (CVE-2026-41512)

Patch now - CVE-2026-41512 is a critical remote code execution vulnerability in ai-scanner versions 1.0.0 through 1.4.0 that lets attackers with low privileges execute arbitrary system commands on the scanner host. Patched in version 1.4.1 - update immediately.

Overview

CVE-2026-41512 is a JavaScript injection vulnerability in the BrowserAutomation::PlaywrightService component of ai-scanner, an AI model safety scanner built on NVIDIA garak. The flaw allows an attacker who can interact with the scanner’s browser automation service to inject malicious JavaScript code that the Playwright service then executes. This results in full remote code execution (RCE) on the underlying server, giving the attacker complete control over the affected system.

The vulnerability carries a CVSS v3 score of 9.9 (CRITICAL) due to the combination of network-based attack vector, low attack complexity, low privileges required, and no user interaction needed. The attacker does not need to authenticate to the scanner service to exploit this flaw, making it particularly dangerous for exposed deployments.

Impact

Successful exploitation of CVE-2026-41512 grants an attacker:

• Full remote code execution on the ai-scanner host machine
• Access to all AI models, scanning results, and configuration data processed by the scanner
• Potential lateral movement to connected systems, as the scanner may have network access to internal resources
• Persistence mechanisms can be established on the compromised host

Organizations using ai-scanner in automated CI/CD pipelines or continuous security testing workflows are at heightened risk, as the scanner may have elevated privileges or access to sensitive development environments.

Remediation

Immediate action required. Upgrade ai-scanner to version 1.4.1 or later.

1. Update the package: Run the appropriate package manager update command for your deployment:

   • pip install --upgrade ai-scanner>=1.4.1 (Python package)
   • For containerized deployments, rebuild images using the updated package

2. Verify the update: Confirm the installed version with:

   • ai-scanner --version (should output 1.4.1 or later)

3. Mitigation for air-gapped systems: If immediate update is not possible, restrict network access to the PlaywrightService component by:

   • Firewalling port access to only trusted internal IP addresses
   • Disabling the PlaywrightService if it is not essential for operations

4. Audit for compromise: If you suspect prior exploitation, review ai-scanner logs for unexpected JavaScript execution attempts and check for unauthorized processes or network connections originating from the scanner host.

Security Insight

CVE-2026-41512 represents a growing trend where security tooling itself becomes an attack vector. AI model safety scanners, by their nature, have privileged access to execute code in isolated environments (browser automation) and process potentially malicious AI outputs. This creates a paradox - tools designed to detect unsafe AI models may themselves introduce remote code execution risks if input handling in their automation components is not narrowly scoped. Vendors building security tools that run untrusted code (including browser automation for AI safety scanning) should treat all automation interfaces as high-risk attack surfaces and apply the same hardening standards as they would for external-facing web applications. For more details on recent security incidents, visit our breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs