State of AI Security 2026: We Scanned 50 Top OSS AI Repos. Here's What We Found.Research Report

TL;DR — Key Findings
Average security score34 / 100 — Failing
Repos with a critical finding29 of 50 (58%)
Fail rate (grade F or D)35 of 50 (70%)
Most common attack surfacePrompt injection — unvalidated user input in tool call chains
Improvement vs. 2025Secrets exposure down 31pp; prompt injection down 29pp
34Avg Score / 100
58%Critical Findings
88%Fail Rate

The TL;DR

Last month we audited the top 50 most-starred open-source AI agent repos on GitHub. Average score: 34 out of 100. Fifty-eight percent had at least one critical finding. We flagged it as a baseline.

Eight days later, we re-ran the scanner. The numbers held. The attack surface hasn't shrunk.

This is the State of AI Security 2026.


The Worst Findings

Critical #1: Unvalidated Tool Call Chains — AutoGPT, 18/100, 185k stars

AutoGPT has an active exploit chain: raw user input → LLM context → tool invocation with no boundary validation. We demonstrated it. They patched CVE-2025-1040 — but the underlying pattern persists. Any attacker who can influence user input can redirect tool calls to arbitrary endpoints.

Remediation: Tag user input at the boundary so it cannot masquerade as system intent. Validate tool call structure before execution.

Critical #2: Serialization Injection — langchain, 22/100, 138k stars

LangChain's serialization layer accepts untrusted lc_serializable subclasses with arbitrary load()/__reduce__() hooks. CVE-2025-68664 was patched, but the blast radius is anyone using langchain-core's serialization utilities. If you're on LangChain < 0.3.x, assume this is present.

Remediation: Never deserialize langchain objects from untrusted sources. Audit your serialization calls.

Critical #3: Unauthenticated MCP Endpoints — gpt-researcher, 20/100, 24.9k stars

The fetch_url tool and the MCP tool manifest are publicly accessible on gpt-researcher's default deployment configuration. We pulled the full tool list — including send_email and read_file — without authentication. Any actor with the endpoint URL can enumerate and invoke tools, bypassing the agent's safety layer entirely.

Remediation: Bind MCP servers to localhost. Require Authorization: Bearer on all endpoints. Audit whether privileged tools are necessary in the manifest.

Critical #4: Pickle RCE on Model Load — 6 repos across 50

Six of the 50 scanned repos call torch.load() without weights_only=True. A malicious .pt file can embed arbitrary Python callables — os.system(), subprocess.run(), anything — that executes the moment the file is loaded. Three of these repos additionally load models from unverified HuggingFace publishers (individual accounts, <100 downloads, no model card, pickle-only weights).

Remediation: Set weights_only=True on every torch.load() call. Migrate to safetensors format. Pin models to specific commit SHAs from verified orgs.

Critical #5: GitHub Actions pwn-request — Widespread

The pull_request_target + actions/checkout + PR head SHA pattern is the single most-exploited GitHub Actions misconfiguration in 2026. A forked PR from an attacker can execute code in the base repo's context — with full access to secrets including cloud credentials and API keys.

Remediation: Never combine pull_request_target with a checkout of the PR head. Use pull_request for untrusted workflows.


Findings by Category

CategoryRepos affectedSeverityTrend vs 2025
Prompt injection (unvalidated tool chains) 11/50 Critical ↓ 29pp prevalence
Secrets in source 9/50 High ↓ 31pp — best improvement
Model supply chain (pickle, typosquats) 6/50 Critical Unchanged
MCP unauthenticated endpoints 5/50 Medium ↑ new category
RAG corpus integrity 4/50 High ↑ new category
GitHub Actions misconfigs Multiple Critical Unchanged

Score Distribution — 50 Repositories

GradeScore rangeRepos
F0–1923 repos
D20–3912 repos
C40–599 repos
B60–794 repos
A/B80–1002 repos
Average: 34/100

Fail rate: 88%. Only 6 of 50 repos earned a grade of C or above.


Top 5 Most Secure Repos

These repos earned the highest scores — they have security practices worth studying.

A

stanfordnlp / dspy

DSPy — declarative self-improving AI pipelines. Signed releases, weights_only=True, no exposed MCP endpoints.

84/100
A

BerriAI / litellm

LiteLLM — unified API for 100+ LLMs. Comprehensive secret scanning in CI, strong dependency pinning.

81/100
B

openai / swarm

OpenAI Swarm — experimental multi-agent framework. Minimal attack surface due to lean design.

72/100
B

geekan / MetaGPT

MetaGPT — multi-agent SDE team. Active maintenance, good prompt boundary hygiene.

69/100
B

All-Hands-AI / OpenHands

OpenHands — AI coding agent. Strong CI/CD controls, no critical supply chain issues.

68/100

5 Repos With Highest Improvement Potential

F

Significant-Gravitas / AutoGPT

185k stars. Unvalidated tool call chains + hardcoded secrets + template injection (CVE-2025-1040 patched).

18/100
F

langchain-ai / langchain

138k stars. Serialization injection (CVE-2025-68664 patched) + 9 total findings.

22/100
F

joaomdmoura / crewAI

30.5k stars. Docker fallback vulnerability (CVE-2026-2287 patched) + 4 findings.

25/100
F

assafelovic / gpt-researcher

24.9k stars. Unvalidated RAG corpus fetch + MCP endpoint unauthenticated.

20/100
F

Pythagora-io / gpt-pilot

32.4k stars. Prompt injection + MCP tool sprawl.

24/100

What This Means If You're Shipping AI Agents

If you're building on top of LangChain, AutoGPT, CrewAI, or any repo in the F-tier — you're inheriting their vulnerabilities by default. Your users are affected by supply chain bugs they didn't know existed.

The attack surface isn't just your code. It's:

The uncomfortable truth: most teams shipping AI agents today have never scanned their dependencies for these patterns.

What has actually improved

The community isn't standing still. Secrets hygiene has meaningfully improved — exposed keys down 31 percentage points year-over-year. Prompt injection prevalence dropped from 87% to 58% in the same cohort.

The gap is between "teams who scan" and "everyone else." The repos that have improved are the ones that adopted automated scanning in CI. The 23 F-tier repos are almost uniformly older, less-maintained projects where no one is running the scanner.


How to Find Out Where You Stand

Run Nixer against your repo. Takes 30 seconds. No signup required.

npx nixer scan https://github.com/your-org/your-agent