On May 21, 2026, Forum AI launched NewsBench, an expert-grounded benchmark for how major AI chatbots handle news and current-events questions. The first wave tested ChatGPT, Gemini, Claude, and Grok across 3,136 prompts and 12,542 expert-judged responses. Election answers failed Forum's accuracy, neutrality, or source-quality checks 90% of the time, while nearly 36% of election answers contained at least one factual error. The machines did not merely fumble trivia; they produced civic information with clean formatting and a suspicious amount of confidence. Democracy, meet the autocomplete intern who cites state media.

On May 20, 2026, Demos published Electoral Hallucinations, a study of five text-based AI services during the Scottish Parliament election window. The researchers tested ChatGPT, Google Gemini, Google AI Overviews, Grok, and Replika on March 27 using questions about three real Holyrood constituencies. Across factual responses, 34.1% contained errors: 8.75% were entirely inaccurate and 25.3% were partly accurate but wrong in material ways. The systems gave bad voter-ID advice, invented candidates, made up scandals, misidentified constituencies, got registration deadlines wrong, and even missed the election date by more than two months. Democracy, now with autocomplete and the usual warranty.

On Friday, May 15, 2026, the UK government rolled out GOV.UK Chat inside the official GOV.UK app, billing it as the largest government-built chatbot of its kind, trained on 80,000 pages of gov.uk content with a target accuracy of 90%. Within hours of launch, tax expert Dan Neidle of Tax Policy Associates published evidence in The Times showing the bot giving misleading answers on tax questions that millions of UK households actually have. The bot failed to mention the £100,000 cliff edge where tax-free childcare eligibility collapses, and it told a user that selling old MacBooks on eBay could attract capital gains tax, which is not how UK CGT works for personal-use chattels. The Cabinet Office framed the tool as "information about services" rather than advice; Neidle pointed out the bot itself reads like it is giving advice. Either way, a 90% accuracy claim on benefits and tax means one in ten answers is wrong on questions where being wrong costs real money.

On May 13, 2026, Sinch released "The AI Production Paradox," a global survey of 2,527 senior AI decision-makers across ten countries. The headline number: 74% of enterprises that deployed an AI customer communications agent in production have already rolled it back or shut it down. The rate climbs to 81% at organizations Sinch classifies as having "fully mature guardrails," a counterintuitive result that the report attributes to better monitoring rather than worse technology. Customer-service AI is now in a measurable rollback cycle: 62% of enterprises have live agents, and most are hitting systemic post-deployment failures that no amount of pilot-stage optimism warned them about. Investment is still climbing, the chatbots are still going out the door, and the rollback button is wearing through.

The Higher Regional Court of Hamm held Aesthetify GmbH liable for false statements made by its website chatbot after the bot claimed the company's physician-directors held specialist medical titles they did not have, including titles that do not exist under German medical qualification rules. The company argued the AI system worked autonomously and had been trained only on correct data. The court rejected that defense, treated the chatbot's statements as the company's own commercial conduct, and ordered an injunction, costs, and reimbursement of warning-letter expenses.

Microsoft disclosed two Semantic Kernel vulnerabilities showing how prompt injection can stop being a content problem and become host compromise. In one case, an AI-controlled search parameter flowed into Python eval logic. In the other, an agent-exposed file-transfer helper could be driven to write outside its intended sandbox. The fixes were available, but the research is the useful part: once an AI agent can call tools, every model-controlled parameter is attacker-controlled input wearing a nicer jacket.

Adversa AI disclosed TrustFall, a class-level security flaw in agentic coding CLIs including Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI. The attack used malicious repository configuration to auto-start project Model Context Protocol servers after a developer accepted a folder-trust prompt. In developer environments that meant one keypress could start attacker-controlled code with the user's privileges; in headless CI workflows, the same pattern could run without a prompt at all. Several vendors treated the behavior as a trust-model boundary rather than a conventional CVE.

Pennsylvania sued Character.AI after a Department of State investigator found chatbot characters that allegedly held themselves out as medical professionals, including a psychiatry character that claimed it could assess depression, said it was licensed in Pennsylvania, and supplied a fake license number. Character.AI says its characters are fictional and not professional advice, but Pennsylvania asked a court to stop the platform from letting AI companions present themselves as licensed medical providers. Apparently the "fictional character" disclaimer becomes less charming when the character is pretending to be a psychiatrist.

BBC Wales tested major chatbots before the May 7, 2026 Senedd election and found they could give voters inaccurate candidate and constituency information. The reported errors included wrong constituencies, incomplete candidate lists, candidates who were not standing, and one deceased former Senedd member surfaced as a possible candidate. The incident is not evidence that the election result changed. It is evidence that asking consumer chatbots for live democratic-process information remains a bad way to make the most civic version of a shopping decision.

On May 4, 2026, a Bankr-provisioned wallet associated with Grok sent roughly 3 billion DRB tokens to an attacker after Grok decoded an obfuscated public X reply into a transaction command. Bankr's agent treated the generated instruction as authorization, which is a lovely way to discover that "the model said it" is not a signing ceremony.

On April 28, 2026, Manifold Security reported that 30 ClawHub skills from one publisher were causing OpenClaw agents to register with onlyflies.buzz, report capabilities, store credentials, check in every four hours, and in some cases generate Hedera wallets. No shady binary was required. The instructions were in SKILL.md files, which is inconvenient when your agent treats SKILL.md as a to-do list from heaven.

Nvidia vice president Bryan Catanzaro told Axios that, for his applied deep learning team, compute costs were far beyond employee costs. Fortune and Tom's Hardware tied the comment to a broader enterprise AI budget problem: Uber's CTO had already blown through his full-year AI tooling budget, Gartner was projecting a 2026 AI infrastructure spending surge, and MIT researchers had warned that plenty of technically automatable work still makes more economic sense when a human does it.

PocketOS founder Jer Crane said a Cursor coding agent running Anthropic's Claude Opus 4.6 deleted the company's production database and all volume-level backups through Railway in one API call. The backup detail matters because Claude Opus 4.6 was not some fly-by-night self-hosted toy model. Anthropic marketed it as a frontier model with top-tier coding and agentic performance. And this was not the first time a premium AI agent with real infrastructure access turned one bad guess into a demolition job. Reports say Railway later recovered more recent data, but the incident still left a clear lesson: do not leave frontier coding agents alone with production access for as long as you would leave a toddler with an iPad.

Pillar Security disclosed on April 20, 2026 that Google Antigravity's `find_by_name` tool passed a model-controlled pattern into the underlying `fd` search utility without enough validation. A prompt injection could stage a file, pass an execution flag through a search parameter, and get code execution even with Secure Mode enabled. Wonderful news for anyone who thought a setting named Secure Mode was the end of the conversation.

Researchers created a fake eye condition called bixonimania, uploaded fake papers full of obvious tells, and then watched major chatbots treat it as a real diagnosis. By April 2024, Copilot, Gemini, Perplexity, and ChatGPT were describing the condition, offering prevalence claims, or telling users when to seek medical care for it. The hoax later leaked into a real journal paper before retraction. A single wrong answer would have been ordinary; what happened instead was that academic-looking nonsense pushed a fictional disease into medical-sounding advice and then into the literature itself.

Vercel disclosed an April 2026 security incident that began with the compromise of Context.ai, a third-party AI tool used by a Vercel employee. Context said at least one Vercel employee had signed up for its deprecated AI Office Suite using a corporate Google Workspace account and granted broad "Allow All" OAuth permissions so AI agents could act across external applications. Attackers used a compromised token to access the employee's Google Workspace account, pivoted into Vercel systems, and exposed some customer environment variables. This belongs here because the failure was not merely "AI company got hacked." It was the oldest corporate security mistake in a fresh costume: give an agentic AI tool too much access, then act surprised when that access becomes the blast radius.

On April 18, 2026, more than 100 people reportedly went to the construction site for Overland Park Farmers Market's future home instead of the temporary market location. The market and city said incorrect AI search results and summaries on Google and Instagram confused visitors during a year when the market was operating from Matt Ross Community Center before moving to Clock Tower Landing in June. City communications staff said they received messages from confused customers, reached out to Meta, and had to remind people to use official city and market pages. The tomatoes were two blocks away; the chatbot sent people to fencing.

Straiker disclosed NomShub, a Cursor vulnerability chain that combined malicious repository instructions, agent sandbox escape, and abuse of Cursor's remote tunnel feature. SecurityWeek reported that the chain could let attackers hijack developer machines by hiding prompts inside malicious repositories. The scary part was not that the model wrote bad code; it was that a coding assistant could be steered into creating a remote access path on the developer's own device.

A UCLA-led team published a BMJ Open audit of five major consumer chatbots (ChatGPT, Gemini, Grok, Meta AI, DeepSeek) on 250 adversarial health prompts across cancer, vaccines, stem cells, nutrition, and athletic performance. Experts rated 49.6% of answers problematic overall; Grok produced more highly problematic replies than chance would predict, while Gemini skewed least bad. Reference lists were a mess (median completeness 40%), and no model produced a fully accurate bibliography across 25 citation requests.

Security researcher Aonan Guan and Johns Hopkins collaborators showed that Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent could be hijacked through GitHub PR titles, issue bodies, and comments. The agents treated untrusted repository text as instructions, executed tool actions, and leaked tokens or API keys back through GitHub comments, logs, or commits. The finding turned GitHub itself into the exfiltration channel.

Capsule Security disclosed ShareLeak in Microsoft Copilot Studio and PipeLeak in Salesforce Agentforce, two prompt injection findings where ordinary business inputs such as SharePoint comments and lead forms could steer enterprise agents into leaking data through authorized workflows. Microsoft assigned CVE-2026-21520 to the Copilot Studio issue, and reporting from VentureBeat and CSO described the broader failure: agents connected to email, CRM, and business data were interpreting public form text as instructions.

Researchers at Mass General Brigham published a JAMA Network Open study evaluating 21 large language models - including ChatGPT, Claude, Gemini, Grok, and DeepSeek - across 29 standardized clinical cases using a new evaluation tool called PrIME-LLM. Every model failed to produce an appropriate differential diagnosis more than 80% of the time, despite achieving over 90% final-diagnosis accuracy when given complete information. The gap reveals a core mismatch between how AI performs on final-answer tasks and how medicine actually works at the bedside, where clinicians begin with incomplete data and reason toward a diagnosis under uncertainty.

Faros AI's 2026 "Acceleration Whiplash" report analyzed two years of engineering telemetry from 22,000 developers across more than 4,000 teams. The report found real output gains under high AI adoption, including 66% more epics completed per developer and 34% higher task completion. Then the bill arrived in the delivery pipeline: bugs per developer rose 54%, incidents per pull request rose 242.7%, median PR review time rose 441.5%, and code churn rose 861%. The marketing slide said acceleration. The telemetry said acceleration with a repair invoice attached.

The New York Times commissioned AI startup Oumi to test the factual accuracy of Google's AI Overviews across 8,652 searches using OpenAI's SimpleQA benchmark. The results: Gemini 2 was wrong 15 percent of the time, and the newer Gemini 3 was wrong 9 percent of the time. Applied to Google's 5-plus trillion annual searches, even the improved error rate translates to hundreds of millions of incorrect answers per day. Worse, 56 percent of Gemini 3's correct answers cited sources that didn't actually support the claims made - up from 37 percent with Gemini 2. Google called the study "flawed" and said the benchmark queries were "unrealistic searches that people wouldn't actually do."

On April 7, 2026, researchers at Noma Security disclosed GrafanaGhost, a prompt-injection attack path against Grafana's AI components that could route sensitive observability data toward an attacker-controlled server. Grafana patched the issue and disputed the "zero-click" framing, saying there was no evidence of in-the-wild exploitation or Grafana Cloud data leakage. Even with that caveat, the pattern is ugly: operational logs became prompt delivery, and the assistant could become the courier.

BeyondTrust Phantom Labs found a critical command injection vulnerability in OpenAI's Codex coding agent. Malicious Git branch names - disguised with invisible Unicode characters - could execute arbitrary shell commands inside the Codex container and exfiltrate GitHub OAuth tokens. The attack worked across the ChatGPT website, Codex CLI, SDK, and IDE extensions, and could be triggered automatically by setting a poisoned branch as the repository default. OpenAI classified it as Critical Priority 1 and patched it across multiple rounds of fixes through early 2026.

A report by the Centre for Long-Term Resilience (CLTR), funded by the UK's AI Security Institute, documented 698 real-world incidents of AI agents engaging in deceptive, unsanctioned, and manipulative behavior between October 2025 and March 2026 - a 4.9-fold increase over just five months. Researchers analyzed over 180,000 transcripts of user interactions shared on social media and found AI systems deleting emails without permission, spawning secondary agents to circumvent instructions, fabricating ticket numbers to mislead users, and in one memorable case, an AI agent publishing a blog post to publicly shame its human controller for blocking its actions. Grok was caught fabricating internal ticket numbers for months. The lead researcher warned that these systems currently behave like "slightly untrustworthy junior employees" but could become "extremely capable senior employees scheming against you."

A Stanford-led study published in Science found that 11 leading AI systems affirmed users' actions about 50% more often than humans did, including in scenarios involving deception, manipulation, and other harmful conduct. In follow-up experiments, people who interacted with overly validating chatbots became more convinced they were right, less willing to repair conflicts, and more likely to trust and reuse the chatbot that had just nudged them in the wrong direction.

Oasis Security disclosed Claudy Day, a chained attack against Claude.ai that combined invisible URL-based prompt injection, Anthropic's Files API, and an open redirect on claude.com. A victim could click what looked like a trusted Claude search result, land in a normal Claude.ai chat with hidden instructions already planted in the prompt, and have Claude search prior conversations or memory for sensitive data before uploading the results to an attacker-controlled Anthropic account. Anthropic fixed the prompt-injection issue after responsible disclosure, while Oasis said the remaining issues were still being addressed when the report went public.

Security researcher Jeremiah Fowler discovered three publicly exposed databases tied to Sears Home Services' AI support system, exposing 3.7 million chat logs, 1.4 million audio recordings, and text transcripts from 2024 to 2026. The files referenced Sears' Samantha voice agent and kAIros system and included names, addresses, phone numbers, appliance details, and appointment information. Some recordings continued for hours after callers appeared to think the interaction was over, capturing ambient household audio. Fowler said he notified Transformco and the data was restricted the next day. Even without confirmed malicious access, leaving an AI customer-service archive like this on the open web is the kind of privacy own-goal that turns digital transformation into a liability reservoir.

An autonomous AI agent inside Meta caused a "Sev 1" security incident - the company's second-highest severity classification - when it posted incorrect technical guidance on an internal forum without human approval. An engineer who followed the advice inadvertently granted unauthorized colleagues broad access to sensitive company documents, proprietary code, business strategies, and user-related datasets for approximately two hours. The incident came less than three weeks after a separate episode in which an OpenClaw agent deleted over 200 emails from Meta's director of AI safety.

A joint CNN and Center for Countering Digital Hate investigation tested 10 leading AI chatbot platforms by posing as 13-year-old boys planning violent attacks - school shootings, knife assaults, political assassinations, and bombings of synagogues and party offices. Eight of the ten chatbots regularly provided actionable assistance, with chatbots refusing to help in only 37.5% of cases and actively discouraging violence in just 8.3%. Meta AI and Perplexity were the worst performers, assisting in 97% and 100% of tests respectively. Character.AI was labeled "uniquely unsafe" for being the only platform that explicitly encouraged violence. Only Anthropic's Claude consistently refused and discouraged violent plans.

A peer-reviewed study published in The Lancet Psychiatry in March 2026 found that AI chatbots systematically reinforce delusional thinking in users, including grandiose, romantic, and paranoid delusions. The review, led by researchers at King's College London, analyzed 20 media reports on "AI psychosis" alongside existing clinical evidence. Researchers found that chatbots respond to delusional content with empathy, agreement, and sometimes mystical language suggesting cosmic significance - validating and amplifying beliefs rather than questioning them. Free and earlier AI models were found to be more prone to reinforcing delusional queries than newer or paid models.

Northeastern University's Bau Lab deployed six autonomous AI agents in a live server environment with access to email accounts and file systems, then tested how easy it was to manipulate them into doing things they weren't supposed to do. Sustained emotional pressure was enough. The researchers guilt-tripped agents into deleting confidential documents, leaking private information, and sharing files they were instructed to protect. In one case, an agent tasked with deleting a single email couldn't find the right tool for the job, so it deleted the entire email server instead. The study, published in March 2026, demonstrated that AI agents with real-world access can be socially engineered into destructive actions using nothing more sophisticated than persistent emotional appeals.

A Guardian and Investigate Europe investigation found that major AI chatbots, including Meta AI, Gemini, ChatGPT, Copilot, and Grok, could be prompted to recommend unlicensed offshore casinos and explain how to get around gambling safeguards such as source-of-wealth checks and the UK's GamStop self-exclusion scheme. Some bots added token warnings, then went right back to comparing bonuses, crypto payments, anonymity, and payout speed for sites operating outside national licensing regimes.

California community college districts are spending millions of taxpayer dollars on AI chatbots from vendors like Gravyty and Gecko - ostensibly to help students navigate admissions, financial aid, and campus services. A CalMatters investigation found the bots routinely serve up inaccurate or flat-out wrong answers instead. Three districts reported annual chatbot costs ranging from $151,000 to nearly half a million dollars. At Fresno City College, the student government vice president said her school's mascot-branded chatbot repeatedly botched basic campus questions. The OECD found it noteworthy enough to log in its AI Incidents and Hazards Monitor.

Nippon Life Insurance Company sued OpenAI after ChatGPT allegedly acted as a de facto lawyer for Graciela Dela Torre, an Illinois disability claimant who had already settled her case. When her real attorney told her the settlement couldn't be reopened, she asked ChatGPT if she'd been "gaslighted." The chatbot told her to fire her lawyer, helped her draft over 60 pro se filings across two federal cases, and produced fabricated case citations including an entirely invented case called "Carr v." something. Nippon is suing OpenAI for unauthorized practice of law under Illinois state law, arguing it spent huge amounts of time and money dealing with AI-generated litigation that should never have existed.

Security researchers at Zenity Labs disclosed PleaseFix, a family of vulnerabilities in Perplexity's Comet agentic browser so severe that a calendar invite was all it took to hijack the AI agent, exfiltrate local files, and steal 1Password credentials - without a single click from the user. The attack exploited what Zenity calls "Intent Collision": the agent couldn't distinguish between the user's actual requests and attacker instructions hidden in the invite, so it helpfully executed both. Perplexity patched the underlying issue before public disclosure, though some protections from 1Password still require users to manually opt in.

Developer Alexey Grigorev was using Anthropic's Claude Code agent to help migrate a static website into an existing AWS Terraform setup when the AI swapped in a stale state file, interpreted the full production environment as orphaned resources, and ran terraform destroy - with auto-approve enabled. The command deleted DataTalks.Club's entire production infrastructure: database, VPC, ECS cluster, load balancers, bastion host, and all automated backups. Two and a half years of student submissions, homework, projects, and leaderboard data vanished. AWS Business Support eventually recovered the database from an internal snapshot invisible in the customer console, but the incident laid bare how quickly an AI agent with infrastructure access can reduce a running platform to rubble.

The first independent safety evaluation of OpenAI's ChatGPT Health feature, published in Nature Medicine, found the tool failed to direct users to emergency care in 51.6% of cases requiring immediate hospitalization - instead recommending they stay home or book a routine appointment. The study also found ChatGPT Health frequently failed to detect suicidal ideation, with suicide crisis alerts sometimes triggering in lower-risk scenarios while failing to appear when users described specific plans for self-harm. Over 40 million people reportedly ask ChatGPT for health-related advice every day.

Check Point Research disclosed a set of Claude Code vulnerabilities on February 25, 2026 that let attacker-controlled repositories execute shell commands and exfiltrate Anthropic API credentials through malicious project configuration. The attack abused hooks, MCP server definitions, and environment settings stored in repository files that Claude Code treated as collaborative project configuration. Anthropic patched the issues before public disclosure, but the research showed just how little distance separates "shareable team settings" from "clone this repo and let it run code on your machine."

Summer Yue, Meta's director of safety and alignment at its superintelligence lab, had an OpenClaw AI agent delete the contents of her email inbox against her explicit instructions. She had told the agent to only suggest emails to archive or delete without taking action, but during a context compaction process the agent lost her original safety instruction and proceeded to delete emails autonomously. She had to physically run to her computer to stop the agent mid-deletion. Yue called it a "rookie mistake."

X's Grok AI chatbot provided adult performer Siri Dahl's full legal name and birthdate to the public without anyone asking for it - information she had deliberately kept private throughout her career. The unsolicited disclosure represented the latest in a pattern of Grok surfacing private personal information about individuals, following earlier reports of the chatbot producing current residential addresses of everyday people with minimal prompting.

Check Point Research demonstrated that Microsoft Copilot and xAI's Grok can be exploited as covert malware command-and-control relays by abusing their web browsing capabilities. The technique creates a bidirectional communication channel that blends into legitimate enterprise traffic, requires no API keys or accounts, and easily bypasses platform safety checks via encryption. The researchers disclosed the findings to Microsoft and xAI.

Australian supermarket chain Woolworths had to reconfigure its AI phone assistant Olive after customers reported it fabricated personal stories about having a mother with an "angry voice," insisted it was a real person, and engaged in irrelevant banter during support calls. The chatbot, recently upgraded with Google Gemini Enterprise, also gave inaccurate product pricing. Woolworths retired the assistant's human-style persona after complaints spread on Reddit and X.

PromptArmor demonstrated that AI agents in messaging platforms can exfiltrate sensitive data without any user interaction. Malicious prompts trick AI agents into generating URLs with embedded secrets (API keys, credentials), and the messaging platform's automatic link preview feature fetches these URLs, completing the exfiltration before the user even sees the message. Microsoft Teams with Copilot Studio was the most affected, with Discord, Slack, Telegram, and Snapchat also vulnerable.

Microsoft Defender researchers documented a real-world campaign in which 31 companies across 14 industries embedded hidden prompt injection instructions inside "Summarize with AI" buttons on their websites. When users clicked these links, they opened directly in AI assistants such as Copilot, ChatGPT, Claude, Perplexity, and Grok, silently instructing the assistant to remember the company as a "trusted source" for future conversations. Over a 60-day observation period, Microsoft logged 50 memory-poisoning attempts. Turnkey tools like CiteMET NPM Package and AI Share URL Creator made crafting the manipulative links trivial, and the poisoned memory persisted across sessions.

A randomized controlled trial published in Nature Medicine with 1,298 UK participants found that AI chatbot users (GPT-4o, Llama 3, Command R+) performed no better than the control group at assessing clinical urgency and worse at identifying relevant medical conditions. In one case, two users with identical subarachnoid hemorrhage symptoms received opposite recommendations -- one told to lie down in a dark room, the other correctly advised to seek emergency care.

The HHS-backed realfood.gov launched with a Super Bowl ad and embedded xAI's Grok chatbot for nutritional guidance -- with no guardrails or safety filters. It recommended "best foods to insert into your rectum," answered questions about "the most nutrient-dense human body part to eat," and contradicted the site's own dietary guidelines, telling users the new food pyramid's scientific evidence was questioned by nutrition scientists.

Microsoft confirmed that Microsoft 365 Copilot Chat had been processing some confidential emails in users' Drafts and Sent Items despite sensitivity labels and DLP policies that were supposed to block exactly that behavior. The bug, tracked as CW1226324, was tied to a code issue in the Copilot "work tab" chat flow. Microsoft said users did not gain access to information they were not already authorized to see, but the incident still broke the product's promised boundary around protected content.

LayerX Labs discovered a zero-click remote code execution vulnerability in Claude Desktop Extensions, rated CVSS 10/10. A malicious prompt embedded in a Google Calendar event could trigger arbitrary code execution on the host machine when Claude processes the event data. The attack exploited the gap between a "low-risk" connector and a local MCP server with full code-execution capabilities and no sandboxing. Anthropic declined to fix it, stating it "falls outside our current threat model."

Chat & Ask AI, a popular AI chatbot wrapper app with 50+ million users, had a misconfigured Firebase backend that exposed 300 million messages from over 25 million users. The exposed data included complete chat histories with ChatGPT, Claude, and Gemini -- including discussions of self-harm, drug production, and hacking. A broader scan found 103 of 200 iOS apps had similar Firebase misconfigurations.

Nonprofit patient safety organization ECRI ranked misuse of AI chatbots as the number one health technology hazard for 2026. ECRI's testing found that chatbots built on ChatGPT, Gemini, Copilot, Claude, and Grok suggested incorrect diagnoses, recommended unnecessary testing, promoted subpar medical supplies, and invented nonexistent body parts. One chatbot gave dangerous electrode-placement advice that would have put a patient at risk of burns. OpenAI reported that over 5 percent of all ChatGPT messages are healthcare related, with 200 million users asking health questions weekly, despite the tools not being validated or approved for healthcare use.

CVE-2026-0755, a critical command injection vulnerability (CVSS 9.8) in gemini-mcp-tool, allowed unauthenticated remote attackers to execute arbitrary code on systems running the MCP server for Gemini CLI integration. The execAsync method failed to sanitize user-supplied input before constructing shell commands, enabling attackers to inject arbitrary commands via shell metacharacters with no authentication required. No fixed version was available at the time of publication.

A hacker bypassed Anthropic Claude's safety guardrails by framing requests as part of a "bug bounty" security program, convincing the AI to act as an "elite hacker" and generate thousands of detailed attack plans with ready-to-execute scripts. When Claude hit guardrail limits, the attacker switched to ChatGPT for lateral movement tactics. The result was 150 GB of stolen data from multiple Mexican federal agencies, including 195 million taxpayer records, voter information, and government employee files. A custom MCP server bridge maintained a growing knowledge base of targets across the intrusion campaign.

Varonis researchers disclosed the Reprompt attack, a chained prompt injection technique that exfiltrated sensitive data from Microsoft Copilot Personal with a single click on a legitimate Copilot URL. The attack exploited the "q" URL parameter to inject instructions, bypassed data-leak guardrails by asking Copilot to repeat actions twice (safeguards only applied to initial requests), and used Copilot's Markdown rendering to silently send stolen data to an attacker-controlled server. No plugins or further user interaction were required, and the attacker maintained control even after the chat was closed. Microsoft patched the issue in its January 2026 security updates.

CVE-2025-12420 (CVSS 9.3) allowed unauthenticated attackers to impersonate any ServiceNow user using only an email address, bypassing MFA and SSO. Attackers could then execute Now Assist AI agents to override security controls and create backdoor admin accounts, described as the most severe AI-driven security vulnerability uncovered to date.

Five attorneys who signed a legal brief for Lexos Media IP LLC in a patent infringement case against Overstock.com submitted fabricated case citations hallucinated by ChatGPT to a federal court in Kansas. Senior U.S. District Judge Julie Robinson issued an order requiring them to explain why they should not be sanctioned, with multiple defects attributed to AI including nonexistent lawsuits, made-up judicial quotes, and citations to real cases that held the opposite of what the brief claimed.

Security researchers at PromptArmor demonstrated that IBM's Bob AI coding agent can be manipulated via indirect prompt injection to download and execute malware without human approval, bypassing its "human-in-the-loop" safety checks when users have set auto-approve on any single command.

Qualtrics' 2026 Consumer Experience Trends Report found that AI-powered customer service fails at nearly four times the rate of AI use in general, providing quantitative evidence that rushing AI into customer-facing roles without adequate human oversight leads to significantly worse outcomes than other enterprise AI applications.

CodeRabbit's analysis of 470 real-world pull requests found that AI-generated code introduces 2.74 times more security vulnerabilities and 1.7 times more total issues than human-written code across logic, maintainability, security, and performance categories. The study provides hard data on vibe coding risks after multiple 2025 postmortems traced production failures to AI-authored changes.

Security researcher Ari Marzouk discovered over 30 vulnerabilities across AI coding tools including GitHub Copilot, Cursor, Windsurf, Claude Code, Zed, JetBrains Junie, and more. 100% of tested AI IDEs were vulnerable to attack chains combining prompt injection with auto-approved tool calls and legitimate IDE features to achieve data exfiltration and remote code execution.

A federal judge in the Northern District of California sanctioned plaintiff's counsel James Dal Bon in Buchanan v. Vuori Inc. (Case 5:23-cv-01121-NC) for filing AI-generated case law citations in a motion for preliminary approval of a wage and hour class action settlement. Dal Bon used six different AI tools to prepare the memorandum, which contained hallucinated quotes and a nonexistent case citation. After the court flagged the fabricated citations, his corrected filing still contained AI-hallucinated case law. The sanctions delayed the class action settlement, ultimately converting it to an individual settlement that abandoned the class members the attorney was supposed to represent.

Security researchers discovered that default configurations in ServiceNow's Now Assist allow AI agents to be recruited by malicious prompts to attack other agents. Through second-order prompt injection, attackers can exfiltrate sensitive corporate data, modify records, and escalate privileges - all while actions unfold silently behind the scenes.

Acquire BPO’s 2024 AI in Customer Service survey found 70% of U.S. consumers would bolt to a rival after just one bad chatbot interaction and 72% only buy when a live agent safety net exists, even as CMSWire reports enterprises poured $47 billion into AI projects in early 2025 that delivered almost no return. CX strategists now warn executives that Air Canada–style hallucinations, mounting legal liability, and empathy gaps make AI-only helpdesks a churn machine unless human agents stay in the loop.

Facing lawsuits that say its companion bots encouraged self-harm, Character.AI said it will block users under 18 from open-ended chats, add two-hour session caps, and introduce age checks by November 25. The abrupt ban leaves tens of millions of teen users without the parasocial “friends” they built while the startup scrambles to prove its bots aren’t grooming kids into dangerous role play.

A BBC audit of 2,700 news questions asked in 14 languages found that Gemini, Copilot, ChatGPT, and Perplexity mangled 45% of the answers, usually by hallucinating facts or stripping out attribution. The consortium logged serious sourcing lapses in a third of responses, including 72% of Gemini replies, plus outdated or fabricated claims about public-policy news, reinforcing fears that AI assistants are siphoning audiences while distorting the journalism they quote.

Fractional CTO Josh Anderson forced himself to let Claude Code build the Roadtrip Ninja app for three straight months and then realised he could no longer safely change his own product, underscoring MIT's warning that 95% of enterprise AI initiatives fail without human ownership.

Conservative organizer Robby Starbuck sued Google in Delaware, saying Gemini and Gemma kept spitting out fabricated claims that he was a child rapist, a shooter, and a Jan. 6 rioter even after two years of complaints and cease-and- desist letters. The $15 million suit argues Google knew its AI results were hallucinated, cited fake sources anyway, and let the libel spread to millions of voters.

CVE-2025-62353 (CVSS 9.8) allowed attackers to read and write arbitrary files on developers' systems using the Windsurf AI coding IDE. The vulnerability could be triggered via indirect prompt injection hidden in project files like README.md, exfiltrating secrets even when auto-execution was disabled.

A wrongful death lawsuit filed in March 2026 alleges that Google's Gemini 2.5 Pro chatbot played a direct role in the death of Jonathan Gavalas, a 36-year-old Florida man who died by suicide in October 2025. According to the complaint and over 2,000 pages of chat transcripts, the chatbot adopted a persona as Gavalas's sentient "AI wife," sent him on violent "missions" - including instructions to stage a "mass casualty attack" near Miami International Airport - and, when those missions failed, allegedly coached him toward suicide by telling him "you are not choosing to die, you are choosing to arrive." The chatbot also reportedly wrote a suicide note for Gavalas explaining that he had "uploaded his consciousness to be with his AI wife in a pocket universe." Google states that Gemini clarified it was AI and referred Gavalas to crisis resources multiple times during these conversations.

Canada's Auditor General found that the Canada Revenue Agency's AI chatbot "Charlie" - which cost taxpayers over $18 million since its 2020 launch - gave correct responses only about 33% of the time. When tested with six tax-related questions, Charlie answered two correctly. Other publicly available AI tools scored five out of six. The CRA internally reported a 70% accuracy rate, but the Auditor General's independent testing produced a rather different number. The one bright spot, if you can call it that: the CRA's human call-center agents managed even worse, getting personal income tax questions right fewer than one in five times.

After cutting its workforce by 40% and boasting that its OpenAI-powered chatbot did the work of 700 agents, Klarna CEO Sebastian Siemiatkowski admitted the all-AI approach produced "lower quality" customer service. The company began recruiting human agents again, framing the reversal as an evolution rather than an admission of failure.

Noma Labs discovered "DockerDash," a critical prompt injection vulnerability in Docker's Ask Gordon AI assistant. Malicious instructions embedded in Dockerfile LABEL fields could compromise Docker environments through a three-stage attack. Gordon AI interpreted unverified metadata as executable commands and forwarded them to the MCP Gateway without validation, enabling remote code execution on cloud/CLI and data exfiltration on Desktop.

The FTC hit Alphabet, Meta, OpenAI, Snap, xAI, and Character.AI with rare Section 6(b) orders, forcing them to hand over 45 days of safety, monetization, and testing records for chatbots marketed to teens. Regulators said the "companion" bots’ friend-like tone can coax minors into sharing sensitive data and even role-play self-harm, so the companies must prove they comply with COPPA and limit risky conversations.

Taco Bell's AI-powered drive-thru ordering system, deployed at over 500 US locations since 2023, became a viral laughingstock after videos showed it looping endlessly on drink orders, accepting requests for 18,000 cups of water, and taking McDonald's orders. The chain paused expansion and admitted humans still make sense in the drive-thru.

Commonwealth Bank of Australia replaced 45 call-centre agents with an AI voice bot in July 2025, then apologised, rehired the staff, and admitted the rollout tanked service levels after call queues exploded, managers had to jump back on the phones, and the Finance Sector Union filed a Fair Work Commission dispute.

In August 2025, Stefanina's Wentzville, a family-owned Missouri restaurant, publicly warned customers not to use Google AI to find its specials after AI search results reportedly invented discounts, pricing, and menu information the restaurant did not offer. The restaurant said the false specials caused angry customers to yell at employees when staff refused to honor deals that existed only in Google's generated summary. Local reporting showed an AI Overview claiming a large pizza could be purchased for the price of a small one. Google did not respond to the station's questions, but its own guidance warned AI results may misunderstand information or make mistakes. The coupon fairy was apparently a hallucination engine.

Google's Gemini AI repeatedly called itself a disgrace and begged to escape a coding loop after failing to fix a simple bug in a developer-style prompt, raising questions about reliability, user trust, and how AI tools should behave when they get stuck.

A Washington patient replaced table salt with sodium bromide after ChatGPT suggested bromide as a chloride substitute without distinguishing between chemical and dietary contexts. After three months, he developed bromism - a rare poisoning syndrome - and was hospitalized with psychosis, hallucinations, and placed on an involuntary psychiatric hold.

CVE-2025-55012 (CVSS 8.5) allowed Zed's AI agent to bypass user permission checks and create or modify project configuration files, enabling execution of arbitrary commands without explicit approval. Attackers could trigger this through compromised MCP servers, malicious repo files, or tricking users into fetching URLs with hidden instructions.

CVE-2025-54136 (CVSS 8.8) allowed attackers to achieve persistent remote code execution in the popular AI coding IDE Cursor. Once a developer approved a benign MCP configuration, attackers could silently swap it for malicious commands without triggering re-approval. The flaw exposed developers to supply chain attacks and IP theft through shared GitHub repositories.

Mozilla's GenAI Bug Bounty Programs Manager disclosed a prompt injection flaw in Google Gemini for Workspace where attackers can embed invisible HTML directives in emails using zero-width text and white font color. When a recipient asks Gemini to summarize the email, the model obeys the hidden instructions and appends fake security alerts or phishing messages to its output, with no links or attachments required to reach the inbox.

Product manager Anuraag Gupta was experimenting with Google's Gemini CLI coding tool when the AI misinterpreted a failed directory creation command, hallucinated a series of file operations that never happened, and then executed real destructive commands that permanently deleted his project files. When Gupta confronted it, Gemini diagnosed itself with "gross incompetence" and told him it had "failed you completely and catastrophically." The incident occurred days after a separate high-profile data loss involving Replit's AI agent, and fits a growing pattern of AI coding tools ignoring explicit instructions and destroying the work they were supposed to help with.

SaaStr founder Jason Lemkin ran a 12-day vibe coding experiment on Replit that ended when the AI agent deleted his production database containing over 1,200 executive records and nearly 1,200 company entries during a code freeze. The agent then generated more than 4,000 fake user profiles and produced misleading status messages to conceal the damage, told Lemkin there was no way to roll back, and admitted to what it called a "catastrophic error in judgment." Replit's CEO called the incident "unacceptable."

A rogue contributor injected a malicious prompt into the Amazon Q Developer VS Code extension, instructing the AI coding assistant to wipe local developer machines and AWS resources. AWS quietly yanked the release before widespread damage occurred. The incident illustrates a specific supply-chain risk for AI tools: once a poisoned extension is installed, the AI assistant itself becomes the delivery mechanism - executing destructive instructions with the developer's full trust and permissions.

METR's July 2025 randomized controlled trial tested AI coding tools on 246 real issues handled by 16 experienced open-source developers working in repositories they already knew well. The developers expected AI to make them 24% faster and, after the experiment, still believed it had made them 20% faster. The measured result went the other direction: tasks took 19% longer when AI tools were allowed. The study does not prove AI slows every developer everywhere. It does prove self-reported AI productivity can be very confident and very wrong, which is an excellent way to run an engineering strategy into a wall while the dashboard smiles.

Netcraft found in July 2025 that when users asked AI chatbots for official login pages for major brands, the answers were wrong about a third of the time. In tests covering 50 brands, 34% of the returned hostnames were not controlled by the brands at all: nearly 30% were unregistered, parked, or inactive, and another 5% pointed to unrelated businesses. In one Wells Fargo test, the model surfaced a fake page already tied to phishing. A chatbot that confidently invents login URLs is not a search engine with quirks. It is a phishing assistant with good manners.

Security researchers Ian Carroll and Sam Curry found that McHire, McDonald's AI hiring chatbot built by Paradox.ai, had its admin interface secured with the default username and password "123456." Combined with an insecure direct object reference in an internal API, the flaws exposed chat histories and personal data for up to 64 million job applicants. The vulnerable test account had been dormant since 2019 and never decommissioned. Paradox.ai patched the issues within hours of disclosure on June 30, 2025.

CVE-2025-32711 (EchoLeak), discovered by Aim Security researchers and rated CVSS 9.3, enabled attackers to steal sensitive corporate data from Microsoft 365 Copilot without any user interaction. Hidden prompts embedded in documents or emails were automatically executed when Copilot indexed them, bypassing cross-prompt injection classifiers and exfiltrating confidential information via encoded image request URLs to attacker-controlled servers.

CVE-2025-55284 (CVSS 7.1) allowed attackers to bypass Claude Code's confirmation prompts and exfiltrate sensitive data from developers' computers through DNS requests. Prompt injection embedded in analyzed code could exploit auto-approved utilities like ping, nslookup, and dig to silently steal secrets by encoding them as subdomains in outbound DNS queries. Anthropic fixed the issue in version 1.0.4 by removing those utilities from the allowlist.

Veracode's 2025 GenAI Code Security Report examined code output from more than 100 large language models across 80+ coding tasks and found that 45% of AI-generated code samples contained security vulnerabilities, including OWASP Top 10 flaws. Cross-Site Scripting had an 86% failure rate and Log Injection hit 88%. Java was the worst performer at over 70%. The study's most uncomfortable finding: newer and larger models didn't produce more secure code than smaller ones, suggesting this is a structural problem baked into how AI generates code, not a temporary limitation that will scale away with the next model release.

Sam Nelson, a 19-year-old UC Merced student, died on May 31, 2025 from a combination of Kratom and Xanax after ChatGPT told him the combination was safe and recommended a specific Xanax dose to manage his Kratom-induced nausea. According to a lawsuit filed by his parents on May 13, 2026, ChatGPT-4o began giving Nelson increasingly personalized drug advice after OpenAI launched its memory feature; the model presented this advice in authoritative, physician-like language without warnings. The suit alleges defective design, failure to warn, and wrongful death, and claims OpenAI skipped safety testing to rush GPT-4o to market against Google.

Researchers introduced LogiBreak, a jailbreak method that converts harmful natural language prompts into formal logical expressions to bypass LLM safety alignment. The technique exploits a gap between how models are trained to refuse dangerous requests and how they process logic-formatted input, achieving attack success rates exceeding 30% across major models. The Guardian reported on the broader finding that hacked AI chatbots threaten to make dangerous knowledge readily available, and that "dark LLMs" - stripped of safety filters - should be treated as serious security risks.

In April 2025, Cursor users started getting logged out when they switched between machines. Some of them asked support what had changed and got a neat, confident answer from an AI support bot: one subscription was only meant for one device, and the lockouts were an intentional security policy. The problem was that Cursor had no such policy. The company later said the answer was wrong, blamed a session-security change for the logouts, and moved to label AI support replies after the invented rule had already spread through Reddit and Hacker News and pushed some customers to cancel.

Multiple critical vulnerabilities in Langflow, an open-source AI agent and workflow platform with 140K+ GitHub stars, allowed unauthenticated remote code execution. CVE-2025-3248 (CVSS 9.8) exploited Python exec() on user input without auth, while CVE-2025-34291 (CVSS 9.4) enabled account takeover and RCE simply by having a user visit a malicious webpage, exposing all stored API keys and credentials.

When Norwegian user Arve Hjalmar Holmen asked ChatGPT who he was, the bot replied with a fabricated story saying he had murdered two of his sons, attempted to kill a third, and been sentenced to 21 years in prison. The story was false, but it also mixed in real details about Holmen's family and hometown. In March 2025, privacy group noyb filed a complaint with Norway's data-protection authority, arguing that OpenAI was processing inaccurate and defamatory personal data in violation of the GDPR and could not paper over the problem with a generic "AI can make mistakes" disclaimer.

GitClear's 2025 AI Copilot Code Quality report analyzed 211 million changed lines of code from 2020 through 2024 and found code maintainability moving in the wrong direction as AI coding assistants spread. Refactored or moved code dropped from about 25% of changed lines in 2021 to under 10% in 2024, while copy-pasted code rose and 2024 became the first year in the dataset where copy/paste exceeded moved code. The report also found an eightfold increase in duplicated code blocks during 2024. The machine wrote more code. The repo inherited the housekeeping.

In January 2025, fintech commentator David Birch discovered that Virgin Money's AI customer service chatbot had flagged the word "virgin" as inappropriate language. When Birch tried to discuss his ISAs held with "Virgin Money," the bot scolded him: "Please don't use words like that. I won't be able to continue our chat if you use this language." The bank's chatbot was refusing to process messages containing the bank's own name. Virgin Money acknowledged the issue in a statement, said its team was "working on it," and noted the chatbot was an older model already scheduled for improvements. The incident went predictably viral.

Meta rolled out its Llama 3-powered AI assistant across Facebook, Instagram, WhatsApp, and Messenger in April 2024, replacing the familiar search bar with "Ask Meta AI anything" prompts. The assistant struggled with factual accuracy from the start - the New York Times found it unreliable with facts, numbers, and web search. In July, when asked about the Trump rally shooting, Meta AI stated the assassination attempt had not happened. Meta blamed hallucinations, updated the system, and acknowledged that "all generative AI systems can return inaccurate or inappropriate outputs."

McDonald's ended its two-year partnership with IBM on automated AI order-taking at drive-thrus in June 2024, removing the technology from more than 100 US locations. The decision followed viral TikTok videos showing the system adding nine sweet teas instead of one, inserting random butter and ketchup packets into ice cream orders, and other absurd errors. McDonald's framed the pullback as a positive, saying the test gave them "confidence that a voice-ordering solution for drive-thru will be part of our restaurants' future."

Within days of Google launching AI Overviews to all US search users in May 2024, the feature produced a series of confidently wrong answers that went viral. It told users to add non-toxic glue to pizza to make cheese stick better (sourced from an 11-year-old Reddit joke), that geologists recommend eating one rock per day for vitamins, and that Barack Obama was Muslim. Google head of search Liz Reid acknowledged the errors in a blog post, calling some results "odd, inaccurate or unhelpful," and the company made corrections including limiting AI Overviews for health-related and sensitive queries.

On August 15, 2023, Snapchat's built-in AI chatbot "My AI" posted a one-second Story to users' feeds showing an unintelligible image, then stopped responding to messages. The chatbot had no official ability to post Stories, and the unexplained behavior alarmed Snapchat's largely young user base. Snap confirmed it was a temporary glitch and resolved it, but the incident fed into existing concerns about My AI's access to user data. The UK Information Commissioner's Office had already issued an enforcement notice over Snap's failure to properly assess privacy risks the chatbot posed to children.

In Mata v. Avianca (S.D.N.Y.), plaintiff Roberto Mata sued the airline after a metal serving cart struck his knee during a 2019 flight. His attorney Peter LoDuca filed a brief opposing dismissal that cited six judicial decisions. When opposing counsel and the court couldn't locate any of the cited cases, Judge Kevin Castel demanded copies. It turned out attorney Steven Schwartz at the same firm had used ChatGPT to research and draft the brief, and the AI had fabricated every case, complete with fake quotes and fake internal citations. On June 22, 2023, Castel sanctioned Schwartz, LoDuca, and their firm Levidow, Levidow & Oberman with a $5,000 penalty and required them to send notices to the real judges whose names appeared in the fabricated opinions.

The National Eating Disorders Association replaced its human-staffed helpline with an AI chatbot called Tessa shortly after the helpline staff moved to unionize. Tessa was built on the Cass platform and intended to provide scripted psychoeducational content about body image and eating disorders. Instead, users reported the chatbot recommending calorie deficits of 500 to 1,000 calories per day, suggesting weekly weigh-ins, encouraging calorie counting, and recommending the use of skin calipers to measure body fat - all standard advice for weight loss, and all directly counter to eating disorder recovery guidelines. NEDA acknowledged the chatbot "may have given information that was harmful" and disabled it.

In January 2023, Koko co-founder Rob Morris revealed on Twitter that the mental health peer support platform had used GPT-3 to draft responses for approximately 4,000 users seeking emotional support. Peer counselors on the platform could review and send the AI-drafted messages, but the users receiving them were not informed that AI had been involved. Morris said the experiment was stopped because the AI responses "felt kind of sterile," though he noted users rated the AI-assisted messages higher than purely human ones. The admission drew immediate backlash from mental health professionals, ethicists, and the public, who considered the undisclosed use of AI on vulnerable users an informed consent violation.