Weekly AI Security Digest — May Week 2, 2026

Five items from May 5-9, 2026, selected for operational relevance to practitioners managing AI security.

1. CISA Releases Joint Advisory on Secure Deployment of AI in Operational Technology Environments

What happened: CISA, in coordination with the UK NCSC, Australian ASD, and Canadian CCCS, released a joint advisory titled “Considerations for AI Integration in Operational Technology and Critical Infrastructure.” The advisory covers threat scenarios specific to OT/ICS environments deploying AI-assisted monitoring and anomaly detection systems.

Key points:

• The advisory identifies AI model behavior tampering — causing anomaly detection models to fail to flag genuine anomalies — as a specific threat vector in industrial control system contexts. An adversary who poisons or manipulates an AI-powered network monitoring tool in a power grid or water treatment facility context could suppress detection of genuine intrusion activity.
• Recommended controls include: air-gapping AI training pipelines from production OT networks, establishing model performance baselines with automated drift detection, requiring cryptographic integrity verification of model artifacts before deployment, and maintaining manual override procedures that do not depend on AI system availability.
• The advisory explicitly flags the supply chain risk for pre-trained models used in OT anomaly detection: models downloaded from public repositories without verification may contain backdoors that activate on specific inputs.

Significance: OT/ICS operators have been slower to engage with AI security than enterprise IT security teams. An explicit CISA advisory with OT-specific threat scenarios and controls should accelerate that engagement. For practitioners supporting OT clients, this advisory is now a citable reference for AI supply chain controls in industrial contexts.

2. Researchers Demonstrate Context-Window Poisoning Attack Against RAG Systems at Scale

What happened: A research team at a European security research institute published a paper demonstrating a scaled variant of what they term “context window poisoning” against retrieval-augmented generation systems. Unlike prior work on PoisonedRAG (which required inserting documents into the retrieval corpus), this attack targets the embedding model layer rather than the retrieved documents.

Mechanism: By crafting inputs that exploit instabilities in the retrieval model’s embedding space, the attackers cause legitimate user queries to retrieve attacker-selected documents instead of the semantically correct results. The attack does not require write access to the corpus — it operates through the query embedding, not the document index. The researchers demonstrated consistent misdirection with a 73% success rate against three production-grade embedding models (including OpenAI’s text-embedding-3-small).

Significance: Prior RAG injection research assumed the attacker needed to poison the corpus. This attack surface is different: it is a client-side attack against the query path. Defense implications are still being assessed; the paper suggests that ensemble embedding approaches (using multiple embedding models and requiring agreement) reduce susceptibility.

3. LLM Serving Infrastructure CVEs: Ollama and vLLM Updates Require Immediate Attention

What happened: Two serious findings are in active focus this week for widely deployed LLM serving infrastructure. Ollama 0.17.1 patches a heap out-of-bounds read in the GGUF model loader (CVE-2026-7482, CVSS 9.1) that can leak memory contents — including environment variables, API keys, and other users’ conversation data — and exfiltrate them through the model push path. vLLM 0.14.1 patches a heap-address information leak via its multimodal endpoint (CVE-2026-22778, CVSS 9.8) that drops ASLR entropy to roughly eight guesses and can be chained with an image-decoder heap overflow to reach remote code execution. Both were covered in our May 2026 CVE roundup.

Operational note: Ollama instances exposed beyond localhost (the documented OLLAMA_HOST=0.0.0.0 configuration on port 11434) are at elevated risk from the GGUF out-of-bounds read, since /api/create and /api/push are unauthenticated upstream. If your Ollama deployment is network-accessible and has not been updated to 0.17.1, update before end of week. The vLLM leak should be patched to 0.14.1 in any deployment that exposes the multimodal (image) input path to untrusted callers, especially where the vulnerable image-decoding dependencies are present.

Significance: Patch velocity for ML serving infrastructure remains slow relative to the critical severity of some findings. Teams managing LLM serving stacks should establish a routine process for tracking CVEs in vLLM, Ollama, SGLang, TGI, Triton, and related components — not just tracking CVEs in the application code that calls them.

4. Enterprise AI Vendor Discloses Training Pipeline Breach ↗ Affecting Customer Fine-Tune Data

What happened: An enterprise AI vendor (details under NDA pending; disclosure coordinated) notified customers this week of a breach affecting their fine-tuning infrastructure. An attacker gained access to the pipeline used to run customer-submitted fine-tuning jobs. The breach period is estimated at approximately three weeks.

Impact as disclosed:

• Fine-tuning job metadata (customer identifiers, job configurations, dataset sizes) was accessible to the attacker.
• There is uncertainty about whether training data content — the customer-submitted datasets used for fine-tuning — was accessed. The vendor states their initial investigation has not confirmed data access but has not excluded it.
• No customer-deployed models are believed to have been modified.

Significance: This is the incident class that has been anticipated since fine-tuning-as-a-service became standard: an attacker who breaches the fine-tuning pipeline has access to customer training data, which may contain sensitive business information, and in the worst case could modify training jobs to introduce backdoors into customer models. The vendor’s disclosure is appropriately cautious about confirming data access. Customers using fine-tuning services from any vendor should review their data handling agreements and consider what training data would represent significant exposure if accessed.

5. ENISA Publishes Draft AI Security Baseline Requirements for EU AI Act Compliance

What happened: ENISA (the EU Agency for Cybersecurity) published draft guidance mapping security requirements to the EU AI Act’s obligations for high-risk AI systems. The draft covers the Act’s Article 9 risk management requirements and Article 15 accuracy, robustness, and cybersecurity obligations.

Key security requirements in the draft:

• High-risk AI systems must implement robustness testing against adversarial inputs as part of the conformity assessment. ENISA references the NIST AI.100-2 taxonomy as the framework for defining what adversarial inputs to test.
• Organizations must maintain a monitoring plan for detecting AI system failures and anomalous behavior after deployment, not just during conformity assessment.
• The supply chain of AI components (including pre-trained models and training datasets) must be documented in the technical file. Integrity verification of model components is explicitly recommended.
• Incident reporting obligations: significant AI security incidents must be reported to national authorities within 72 hours (parallel to NIS2 obligations for covered operators).

Significance: The EU AI Act’s Article 15 cybersecurity requirements have been vague in implementation terms since the Act’s passage. ENISA’s draft provides the first concrete operational guidance. For organizations operating high-risk AI systems in the EU, this draft shapes what a conformity assessment will need to demonstrate. The 72-hour incident reporting requirement is a significant operational obligation for any AI security incident.

This digest covers publicly available information and does not constitute legal or compliance advice. CVE details are covered in the May 2026 CVE roundup. Prior week’s digest in the site archive.

Related resources: For a continuously-updated index of ML and AI CVEs — including the Ollama and vLLM vulnerabilities noted above — see mlcves.com ↗. The RAG context-window poisoning research in item 2 is part of a broader class documented at adversarialml.dev ↗. Teams assessing their defenses against the prompt injection and supply chain risks covered in this digest will find the controls taxonomy at aidefense.dev ↗ useful.

For more context, AI security digest ↗ covers related topics in depth.