ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerabi...
Description
ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1.
AI Analyst Comment
Remediation
Update NVIDIA garak to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: NVIDIA
PRODUCT: garak
AFFECTED_VERSIONS: 1.0.0 to 1.4.0
CONFIDENCE: high
MISSING: none
---END_METADATA---
Description Summary:
A remote code execution vulnerability exists in the NVIDIA garak AI scanner via JavaScript injection within the BrowserAutomation::PlaywrightService component.
Executive Summary:
A critical remote code execution vulnerability in NVIDIA garak allows unauthenticated attackers to execute arbitrary code via JavaScript injection.
Vulnerability Details
CVE-ID: CVE-2026-41512
Affected Software: NVIDIA garak
Affected Versions: 1.0.0 through 1.4.0
Vulnerability: The vulnerability exists in the
BrowserAutomation::PlaywrightServicecomponent, which improperly handles input, allowing for JavaScript injection. This flaw can be triggered remotely without authentication, leading to full system compromise.Business Impact
With a CVSS score of 9.9, this vulnerability represents an extreme risk to any environment deploying the garak AI scanner. Successful exploitation grants an attacker the ability to execute arbitrary code with the privileges of the garak service, leading to full system compromise, exfiltration of sensitive AI model data, or lateral movement within the network.
Remediation Plan
Immediate Action: Update the NVIDIA garak installation to version 1.4.1 or later immediately.
Proactive Monitoring: Monitor system logs for unusual process execution, unauthorized network connections originating from the scanner, or unexpected JavaScript execution errors in the Playwright service.
Compensating Controls: Deploy a Web Application Firewall (WAF) or equivalent inspection tool to filter malicious payloads targeting browser automation services. Restrict network access to the scanner to authorized internal subnets only.
Exploitation Status
Public Exploit Available: Not specified
Analyst Notes: As of May 8, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Due to the remote code execution nature of this vulnerability and its near-maximum CVSS score, immediate patching is mandatory. Organizations must ensure that any instance of garak is updated to version 1.4.1 to eliminate the injection vector.