State of AI Security 2026: We Scanned 50 Top OSS AI Repos. Here's What We Found.Research Report
The TL;DR
Last month we audited the top 50 most-starred open-source AI agent repos on GitHub. Average score: 34 out of 100. Fifty-eight percent had at least one critical finding. We flagged it as a baseline.
Eight days later, we re-ran the scanner. The numbers held. The attack surface hasn't shrunk.
This is the State of AI Security 2026.
The Worst Findings
Critical #1: Unvalidated Tool Call Chains — AutoGPT, 18/100, 185k stars
AutoGPT has an active exploit chain: raw user input → LLM context → tool invocation with no boundary validation. We demonstrated it. They patched CVE-2025-1040 — but the underlying pattern persists. Any attacker who can influence user input can redirect tool calls to arbitrary endpoints.
Remediation: Tag user input at the boundary so it cannot masquerade as system intent. Validate tool call structure before execution.
Critical #2: Serialization Injection — langchain, 22/100, 138k stars
LangChain's serialization layer accepts untrusted lc_serializable subclasses with arbitrary load()/__reduce__() hooks. CVE-2025-68664 was patched, but the blast radius is anyone using langchain-core's serialization utilities. If you're on LangChain < 0.3.x, assume this is present.
Remediation: Never deserialize langchain objects from untrusted sources. Audit your serialization calls.
Critical #3: Unauthenticated MCP Endpoints — gpt-researcher, 20/100, 24.9k stars
The fetch_url tool and the MCP tool manifest are publicly accessible on gpt-researcher's default deployment configuration. We pulled the full tool list — including send_email and read_file — without authentication. Any actor with the endpoint URL can enumerate and invoke tools, bypassing the agent's safety layer entirely.
Remediation: Bind MCP servers to localhost. Require Authorization: Bearer on all endpoints. Audit whether privileged tools are necessary in the manifest.
Critical #4: Pickle RCE on Model Load — 6 repos across 50
Six of the 50 scanned repos call torch.load() without weights_only=True. A malicious .pt file can embed arbitrary Python callables — os.system(), subprocess.run(), anything — that executes the moment the file is loaded. Three of these repos additionally load models from unverified HuggingFace publishers (individual accounts, <100 downloads, no model card, pickle-only weights).
Remediation: Set weights_only=True on every torch.load() call. Migrate to safetensors format. Pin models to specific commit SHAs from verified orgs.
Critical #5: GitHub Actions pwn-request — Widespread
The pull_request_target + actions/checkout + PR head SHA pattern is the single most-exploited GitHub Actions misconfiguration in 2026. A forked PR from an attacker can execute code in the base repo's context — with full access to secrets including cloud credentials and API keys.
Remediation: Never combine pull_request_target with a checkout of the PR head. Use pull_request for untrusted workflows.
Findings by Category
| Category | Repos affected | Severity | Trend vs 2025 |
|---|---|---|---|
| Prompt injection (unvalidated tool chains) | 11/50 | Critical | ↓ 29pp prevalence |
| Secrets in source | 9/50 | High | ↓ 31pp — best improvement |
| Model supply chain (pickle, typosquats) | 6/50 | Critical | Unchanged |
| MCP unauthenticated endpoints | 5/50 | Medium | ↑ new category |
| RAG corpus integrity | 4/50 | High | ↑ new category |
| GitHub Actions misconfigs | Multiple | Critical | Unchanged |
Score Distribution — 50 Repositories
| Grade | Score range | Repos |
|---|---|---|
| F | 0–19 | 23 repos |
| D | 20–39 | 12 repos |
| C | 40–59 | 9 repos |
| B | 60–79 | 4 repos |
| A/B | 80–100 | 2 repos |
Fail rate: 88%. Only 6 of 50 repos earned a grade of C or above.
Top 5 Most Secure Repos
These repos earned the highest scores — they have security practices worth studying.
stanfordnlp / dspy
DSPy — declarative self-improving AI pipelines. Signed releases, weights_only=True, no exposed MCP endpoints.
BerriAI / litellm
LiteLLM — unified API for 100+ LLMs. Comprehensive secret scanning in CI, strong dependency pinning.
openai / swarm
OpenAI Swarm — experimental multi-agent framework. Minimal attack surface due to lean design.
geekan / MetaGPT
MetaGPT — multi-agent SDE team. Active maintenance, good prompt boundary hygiene.
All-Hands-AI / OpenHands
OpenHands — AI coding agent. Strong CI/CD controls, no critical supply chain issues.
5 Repos With Highest Improvement Potential
Significant-Gravitas / AutoGPT
185k stars. Unvalidated tool call chains + hardcoded secrets + template injection (CVE-2025-1040 patched).
langchain-ai / langchain
138k stars. Serialization injection (CVE-2025-68664 patched) + 9 total findings.
joaomdmoura / crewAI
30.5k stars. Docker fallback vulnerability (CVE-2026-2287 patched) + 4 findings.
assafelovic / gpt-researcher
24.9k stars. Unvalidated RAG corpus fetch + MCP endpoint unauthenticated.
What This Means If You're Shipping AI Agents
If you're building on top of LangChain, AutoGPT, CrewAI, or any repo in the F-tier — you're inheriting their vulnerabilities by default. Your users are affected by supply chain bugs they didn't know existed.
The attack surface isn't just your code. It's:
- The tools your agents call — MCP endpoints without auth, tool manifests publicly enumerated
- The models your agents load — pickle files, unverified HuggingFace repos
- The context your agents trust — RAG corpora that can be SEO-poisoned, external content that can be injection vehicles
- The CI that builds your agents — GitHub Actions patterns that hand secrets to forked PRs
The uncomfortable truth: most teams shipping AI agents today have never scanned their dependencies for these patterns.
The community isn't standing still. Secrets hygiene has meaningfully improved — exposed keys down 31 percentage points year-over-year. Prompt injection prevalence dropped from 87% to 58% in the same cohort.
The gap is between "teams who scan" and "everyone else." The repos that have improved are the ones that adopted automated scanning in CI. The 23 F-tier repos are almost uniformly older, less-maintained projects where no one is running the scanner.
How to Find Out Where You Stand
Run Nixer against your repo. Takes 30 seconds. No signup required.