Your AI agent did exactly what it was designed to do. The framework underneath it just handed an attacker a shell on the box that holds your OpenAI key, your database credentials, and your CRM tokens.

That is not a hypothetical. In a few months, three of the most widely deployed AI agent frameworks each turned a known, ordinary bug class into a way through. Check Point Research chained a SQL injection in LangGraph’s SQLite checkpointer to full remote code execution. Tenable and VulnCheck tracked a path traversal in Langflow’s file upload endpoint to active, in-the-wild RCE. Cyera documented a path traversal in LangChain-core’s prompt loader that reads your secrets off disk. Two paths to a shell, one to your keys. They are the same bug, wearing three frameworks.

These frameworks became production infrastructure faster than anyone secured them. They store agent state, take file uploads, load prompt configs, and hold the credentials to databases, CRMs, and internal APIs. The edge tools watch traffic. The endpoint tools watch processes. Neither was built to treat an imported framework as a boundary worth guarding, and that blind spot is exactly where all three chains live, widening every week as these frameworks ship to production.

The LangGraph chain, SQL injection to a Python shell

Start with the one most teams pulled into production this quarter. LangGraph gives AI agents memory through checkpointers, the persistence layer that stores execution state. It has cleared over 50 million downloads a month. Yarden Porat of Check Point Research took that layer apart and found three vulnerabilities. Two of them chain to RCE.

CVE-2025-67644, rated CVSS 7.3, is a SQL injection in the SQLite checkpointer. The function that builds the WHERE clause for checkpoint lookups drops user-controlled filter keys straight into the query with no parameterization and no escaping. This does not hit everyone, but where it hits, it is serious. A deployment is exposed when it self-hosts LangGraph on the SQLite or Redis checkpointer and lets untrusted input reach get_state_history() or a similar history endpoint. Meet those conditions, and an attacker who controls the filter writes a fabricated row straight into the checkpoint table. Run LangChain’s managed LangSmith platform on PostgreSQL, and the exposure is gone.

Then CVE-2026-28277, CVSS 6.8, finishes the job. LangGraph’s msgpack checkpoint decoder rebuilds Python objects from the stored data, which lets it import a module and call a named function with attacker-supplied arguments. That step needs write access to the checkpoint store; the SQL injection is what grants it remotely. LangGraph loads the forged row as a legitimate checkpoint, the decoder runs the specified function, including os.system, and code executes under the identity of the agent server. A third issue, CVE-2026-27022, CVSS 6.5, reaches the same place through the Redis checkpointer.

There has been no confirmed exploitation in the wild yet. A working proof-of-concept is public in Check Point’s disclosure. The fixes are version bumps: langgraph-checkpoint-sqlite to 3.0.1, langgraph to 1.0.10, and langgraph-checkpoint-redis to 1.0.2.

The Langflow chain, one unauthenticated request to RCE

Langflow is the one already under attack. CVE-2026-5027, CVSS 8.8, is a path traversal in the POST /api/v2/files endpoint, which takes the filename straight from the form data and writes it to disk unsanitized. An attacker packs that filename with traversal sequences and drops a file anywhere, such as a cron job in /etc/cron.d/. Because Langflow ships with auto-login enabled in its default configuration, an exposed instance needs no credentials at all. A single unauthenticated request reaches the endpoint, and the next cron run hands over a shell.

VulnCheck’s Caitlin Condon confirmed exploitation on June 9: “Our Canaries observed exploitation of CVE-2026-5027 that successfully leveraged the path traversal to write what appear to be test files on victim systems.” Censys put roughly 7,000 exposed instances on the internet, most in North America. This is the third Langflow flaw to draw active exploitation this year, after CVE-2025-34291, which the Iranian state-sponsored group MuddyWater weaponized and which CISA added to its Known Exploited Vulnerabilities catalog in May. CVE-2026-5027 itself was patched in version 1.9.0, released April 15.

The timeline is what sets the clock. The patch shipped April 15. Attacks started in June, and VulnCheck added CVE-2026-5027 to its exploited-vulnerabilities list June 8 once its sensors caught the first in-the-wild hits. Every instance left unpatched between those two dates has been sitting in the open for almost two months. The lesson for security teams is to start the patch clock at disclosure, not at a federal catalog entry.

The LangChain-core gap, arbitrary file reads through the prompt loader

LangChain-core, the foundation under both, disclosed CVE-2026-34070, CVSS 7.5, a path traversal in its legacy prompt-loading API. The load_prompt() functions read a file path out of a config dict with no check against traversal sequences or absolute paths, so an attacker who influences that path reads arbitrary files the process can reach, including the .env file holding OPENAI_API_KEY and ANTHROPIC_API_KEY. Cyera paired it with CVE-2025-68664, CVSS 9.3, a deserialization flaw that resolves environment secrets through a crafted object. The fix versions differ, which matters when you patch: CVE-2026-34070 lands in langchain-core 1.2.22 and 0.3.86; CVE-2025-68664 lands earlier in 1.2.5 and 0.3.81. Clear both, or the higher-severity flaw stays live behind a patched one.

Three frameworks, three classic AppSec bugs. Path traversal. SQL injection. Unsafe deserialization. Nothing exotic, nothing AI-specific, just old vulnerabilities living inside new infrastructure. None of this is a frontier-model problem. It is plumbing, sitting in the layer where AI meets the enterprise.

Why the scanner cannot see it

Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, has named what makes this kind of failure hard to see coming. It does not announce itself as an AI problem. “CISOs will experience MCP insecurity not in the abstract, but when an employee pastes sensitive data into a tool, or when an attacker finds an unauthenticated MCP server in your cloud,” Baer told VentureBeat. “It won’t feel like ‘AI risk.’ It will feel like your traditional security program failing.” The framework chains here are the same shape. An exposed Langflow instance is an unauthenticated server in your cloud, and the alert, if one fires, reads like an ordinary incident.

That is the gap in one sentence. The exploit lives in the framework your code imports. The WAF never sees a msgpack decoder running three layers down. The EDR watches the agent server make the same process calls it makes a thousand times a day and waves it through. Both tools are doing their job. Nobody scoped the framework itself as the thing that could turn on you.

The root cause is older than AI, and Baer names it. “MCP is shipping with the same mistake we’ve seen in every major protocol rollout: insecure defaults,” she told VentureBeat. “If we don’t build authentication and least privilege in from day one, we’ll be cleaning up breaches for the next decade.” Langflow’s auto-login is that mistake shipped. LangChain-core’s unguarded prompt loader is that mistake shipped. The convenient default is the vulnerability. And the moment an agent connects to anything, that risk compounds. “You’re not just trusting your own security, you’re inheriting the hygiene of every tool, every credential, every developer in that chain,” Baer said. “That’s a supply chain risk in real time.”

There is a governance failure layered on top of the technical one, and it is the same miscategorization Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, has flagged in adjacent tooling. “Most security teams still classify experience management platforms as ‘survey tools,’ which sit in the same risk tier as a project management app,” Keren told VentureBeat. “This is a massive miscategorization.” Swap in AI agent frameworks, and it still holds. Teams file LangGraph, Langflow, and LangChain under developer convenience, then wire them into databases, CRMs, and provider keys. “Security has to be an enabler,” Keren said, “or teams route around it.” These frameworks are what routing around it looks like.

Follow the money and it points at the same layer. On its Q1 fiscal 2027 earnings call, CrowdStrike reported its AI detection and response line up more than 250% sequentially, and on June 17 it extended that runtime coverage to agent, LLM, and MCP traffic on AWS. George Kurtz, the company’s co-founder and CEO, named the reason in plain terms: “Agents run on the endpoint. They make tool calls, access files, invoke APIs, and move data at the process level.” That is the exact plumbing these chains abuse, and real money is now moving to the layer your AppSec scan skips.

What to put in front of the board

The board does not need the CVE numbers. It needs the consequence, and Keren draws the line the board cares about. Most teams have mapped the technical blast radius. “But not the business blast radius,” Keren told VentureBeat. “When an AI engine triggers a compensation adjustment based on poisoned data, the damage is not a security incident. It is a wrong business decision executed at machine speed.” A framework RCE is the same problem one layer earlier. The agent does not just leak a credential; it acts on production systems with it, and the business sees an outcome no one can explain.

So frame it the way a board frames it: we run AI agent frameworks in production that can be turned into remote shells through bugs our scanners are not built to find, all three are patched, one is under active attack, and here is the date every instance is verified and closed. None of this required custom malware or a zero-day.

The six-question checklist

Six trust boundaries, one per row, each with the question, the proof point, the command, the fix, and the board line. Run it tonight.

How to read this table: each row is one trust boundary, left to right, from the question to ask to the line to read your board.

Give the board the deadline, not the technology

The fixes are not a re-architecture. They are version bumps and config changes you can land this week. The exposure is the gap between the day the patch shipped and the day your team runs the checks, and right now that gap is measured in months. The frameworks did exactly what they were built to do.

“We thought that’s probably the one that’s least likely to pop up,” Geisbert says. “We guessed wrong.”

Concerned by that knowledge gap, in 2011 he decided to modify a vaccine, which led to the crab-eating macaque study. In the same study, he also finally tested a blend of existing ebola vaccines on the Bundibugyo strain, but they didn’t provide 100-percent protection.

If the 2012 outbreak had occurred after the major Zaire outbreak, Geisbert says, it’s possible pharmaceutical companies might’ve been more keen to commercialize a vaccine that protects against the Bundibugyo strain.

But with the present outbreak rivaling the 2013 to 2016 one in terms of scale and scope, efforts to play catch-up are going into high gear. Geisbert suspects WHO’s experience with Ervebo is one of the reasons they favor his vaccine candidate, which is basically “Bundibugyo Ervebo,” he says.

WHO also noted the success of a similar rVSV-based vaccine targeting the Sudan strain of ebola in a ring vaccination trial in 2025.

The rVSV-based Bundibugyo candidate’s suitability for ring vaccination was backed by a 2023 study showing most of the monkeys were protected from the virus even after they were exposed if they had been vaccinated. That is crucial for ring vaccination to work. While the researchers vaccinated the monkeys an unrealistically quick 20 minutes after exposure, the proof of concept sets it apart from Moderna and the University of Oxford’s candidates under development.

“There hasn’t really been much development since that 2023 study, because we weren’t really expecting to see that strain and also because historically it’s been associated with lower-rate mortality as well,” said Courtney Woolsey, the lead author on the paper (Geisbert was a coauthor) and an assistant professor within the University of Texas Medical Branch.

“Nobody really makes money off these vaccines,” she adds, “so there are funding barriers as well to advance these vaccines where people likely aren’t going to make money.”

The nonprofit Coalition for Epidemic Preparedness Innovations has offered funding of up to $3.2 million to prepare and start testing the material needed to manufacture Gesbert’s vaccine, which would be the first step towards human trials.

The “extensive safety data and prior regulatory experience” from the rVSV-based vaccines used to combat the Zaire strain “could help expedite approval pathways if it is shown to be successful,” Rachael Bonawitz, filovirus disease programme lead at CEPI, tells WIRED over email, adding that developers would also be able to build on existing manufacturing processes.

“Even if it’s not used in this outbreak, hopefully there will be clinical material that can be used in humans available for the next outbreak,” Geisbert says, “because it will probably pop up again.”

Even as it shows promise, there is still a chance his vaccine won’t work. Scientists have not been able to obtain a live Bundibugyo virus sample for testing due to stretched resources in the DRC and the logistical and bureaucratic complexity of obtaining and transporting refrigerated blood back to the US. While scientists believe the current strain is around 98-percent similar to the strain that caused the previous outbreaks, that unknown 2 percent presents a risk the vaccine won’t be as effective as it was against the previous strain.

“When you look at the sequences it’s not different enough that I would predict that there would be a problem, but nothing’s foolproof,” Geisbert says.

The International AIDS Vaccine Initiative in New York will prepare the vaccine candidate for production. The nonprofit biomedical research organization focuses on developing vaccines for global diseases where there is little financial incentive for development.

“The baton has been handed off, and I just sit back and hope that it works, whether it’s the vaccine, whether it’s somebody else’s vaccine,” Geisbert says.

What’s the most cliche possible gift you can give a relative? A digital photo frame, displaying a rotating slideshow of family photos. Now Aura has completely refreshed this product space with its gorgeous Aura Ink frame, which uses e-ink to create a display that doesn’t even look digital.

Digital frames have always been so popular (yet mostly disappointing) because there’s an undeniable allure to the idea of them — it feels like magic to imagine hanging artwork on your wall that you can change depending on your mood. In practice, these devices usually look clunky. You need to plug them in and figure out how to hide a bulky cord, and does anyone even want another bright screen in their home anyway? This problem was already on the Aura founders’ minds when they started the company 10 years ago, but color e-ink wasn’t feasible until now to use in a digital frame.

“E-ink is definitely next level,” co-founder and CTO Eric Jensen told TechCrunch. “We have people tell us that they hung it up, had friends over, and their friends were like, ‘How did you print that picture so quickly?’”

E-ink is the same technology that you see on e-readers, which lets you read a book without feeling the same strain that you get from staring at an LED screen for too long. But there aren’t that many color e-ink devices on the market aside from the Kindle Colorsoft, because the company that manufactures e-ink displays can only currently produce six colors: red, blue, green, yellow, white, and black.

It’s hard to imagine what your favorite family portraits and travel photos would look like with only six colors. But Aura has created a dithering algorithm — a technique that blends a limited color palette into patterns the eye reads as smooth gradients — that renders images close enough to the originals that its e-ink frame could finally go to market.

“I’m learning color theory from our chief scientists, and as far as I understand it, there’s not a good definition for how many colors this represents well,” Jensen said. “It’s all sort of theoretical and comes down to how people perceive it. Everyone’s a little different, so it’s actually taken a lot of testing with a lot of people in a lot of different spaces and different lighting conditions in order to get where we are today.”

All of Aura’s frames connect to the Aura app, which is where you can upload photos from your phone, web, email, iCloud, or Google Photos. I found the process to be pretty user-friendly — easy enough for a less tech-savvy relative to navigate, which matters for a product that lives or dies on whether non-technical users will actually set it up.

The app also has social features, so if your sister has a great new photo of her baby, she can upload it to your shared library and it will appear on your frame. (I didn’t try this, since I don’t know anyone else with an Aura frame, but if I did, I would probably use this feature to prank my family members with ridiculous photos. Am I a bad person?)

In addition to the 13.3-inch Ink frame, Aura also sent me its more classic, 12-inch LED Aspen frame as a point of comparison. But the LED frame surprised me with how good it looks in its own right (it feels like the Prada of digital frames). The lighting is about as unobtrusive as an LED screen can be, and it’s anti-glare, which makes the frame look way more premium. Aura’s frames also benefit by surrounding the LED screen with a paper-like matting display, which helps trick the eye into reading it as a printed photograph.

Aura says it designed its dithering algorithm for portraits of people, since users tend to highlight family photos. I’m a rebel, so I decided to load my frames with travel photos. When comparing the same photo on the Ink and the Aspen, it’s very clear that the colors aren’t exact, but as a digital photographer who isn’t that picky, I didn’t care very much. The distorted color palette almost seems like an artistic choice, even if I know it’s reflective of a technological limitation. But when I showed the two Aura frames to an analog film photographer who painstakingly studies the small color aberrations in his darkroom prints, he thought that the Ink frame needed some work. I disagree, but if you look at the photos below and are bothered that the white balance isn’t perfectly consistent across each of the three image from my phone, then you might not like the Ink frame.

By default, the Ink frame changes photos once per day, and it will usually do this change in the middle of the night, when you’re least likely to be paying attention. If you manually change the pictures via the app, do not be alarmed if the frame looks like it’s glitching — it takes about a minute for the hardware to run the dithering process and render the six-color, e-ink version of your image.

I am very bad with anything involving hammers and nails — all of the art in my apartment is hung up using Command strips — but mounting hardware that Aura includes feels sturdy. It’s easy to take the frame on and off the wall, but you probably only will need to take it down to charge the frame via USB-C once per month. (When the lights are off or you’re not in the room, the display will go to sleep, helping save battery.) I don’t think that the Ink frame looks too out of place, but if it does, maybe it’s because it’s surrounded by art made in other mediums. Or maybe it’s the black frame. Or I did a bad job at placement. Look, I can’t help that I added the Ink frame to a gallery wall that I assembled three years ago!

At $499, I wouldn’t call the Ink frame cheap (the Aspen runs $229, by the way). But aside from its color inconsistencies — which you can argue are more of a feature than a bug — I’ve loved having the Ink frame on my wall. With the unavoidable technical limitations of e-ink in mind, it’s hard for me to imagine how Aura could’ve made a better product.

Go’s IPO — Japan’s biggest so far this year — has done more than provide a much-needed boost to the country’s languishing listing season. It has also supplied the taxi-hailing app with the capital required to address an existential issue: Japan’s shortage of drivers.

Go, which went public Tuesday, plans to use the ¥88.6 billion ($553 million) raised in its IPO to expand its robotaxi business and make acquisitions, according to a company spokesperson.

“We intend to use the proceeds from the sale of newly issued shares toward investment in research and development related to robotaxis and investment in business expansions, including strategic mergers and acquisitions in our business inside and outside of the taxi industry,” the spokesperson said.

The Japanese taxi-hailing company’s debut came in one of Japan’s quietest listing seasons, at a time when the government has been telling startups to sell themselves rather than go public. Go drew investments from BlackRock, Wellington Management, and M&G Investment Management in the process, underscoring where global institutional money is willing to go in Japan right now. The stock has since pulled back below its offering price, closing at ¥2,314 on Friday, down about 4% from the IPO price of ¥2,400.

Go’s robotaxi ambitions are rooted in a human problem. Japan’s taxi industry is running out of drivers. The number of taxi drivers has fallen roughly 20% in recent years, according to a report citing Japan’s Ministry of Land, Infrastructure, Transport and Tourism.

An aging population means that figure is unlikely to recover. Ride-share services launched in Japan in 2024, but remain limited to certain areas and require drivers to be employed by a taxi company; restrictions that have done little to address the shortage.  

Go was founded in 1977 as a taxi operator and now runs Japan’s largest ride-hailing app with 35 million downloads, 85,000 partner vehicles, and an 80% share of Japan’s taxi app market by usage time, covering 46 of Japan’s 47 prefectures.

Go believes robotaxis will be part of its future — although it’s not clear when that vision will become a reality.

Go has partnered with Waymo, an autonomous driving subsidiary of Alphabet, alongside Nihon Kotsu, one of Japan’s biggest taxi operators. Go is responsible for strategic coordination of the partnership, according to the spokesperson. CEO Hiroshi Nakajima has previously said that Go will not invest in autonomous driving systems itself, according to Nikkei Asia.

Go has not set a timeline for fully driverless operations.

“We plan to begin driving fully autonomously, without a human specialist present, when we validate our technology and receive approval to do so,” the spokesperson said.

In the meantime, Go is looking for ways to give its traditional business a competitive edge. For instance, the company has partnered with Kakao T, Alipay, and WeChat Pay that allows inbound travelers from South Korea, China, and Taiwan to hail Go-affiliated taxis directly from their local apps.

Go is not the only company betting on Tokyo’s robotaxi future.

In March, Uber, Wayve, and Nissan announced plans to pilot robotaxi services in Tokyo by late 2026, marking Uber’s first autonomous vehicle partnership in Japan. The service will use Nissan Leaf electric vehicles powered by Wayve’s AI Driver, and will be bookable through the Uber app.

Uber has also teamed up with S.Ride to let international visitors book rides through the Uber app. Didi Mobility Japan, a joint venture between SoftBank and Didi Chuxing, has a similar arrangement.

Honor of Kings is increasing its reach in India through the release of HOK Plus 2.0. This update comes with various enhancements, including more rewards, improved gameplay, creator programs, and esports developments. Another feature of this update is a new character named Devara, who draws inspiration from Indian culture.

Honor of Kings is rolling out a ₹10 million reward program for its users in India with the launch of HOK Plus 2.0. Through “Play to Earn”, players will be motivated to play the game, create content, participate in campus activities, and socialize. Players will get the opportunity to participate in the Treasure Hunt game and stand a chance of winning smartphones and Amazon gift cards. Honor of Kings will give even greater rewards to players as part of its celebration on June 27.

Devara Debuts as Honor of Kings’ New India-Inspired Hero

HOK Plus 2.0 will introduce Devara, a hero inspired by India, in the game Honor of Kings. Devara battles at the Clash Lane and uses his lightning abilities when he is battling. He is able to deal massive damage and perform well from the front line. Honor of Kings has been inviting people to suggest Hindi lines for their heroes. Some of these lines have been selected and used in Devara’s voice lines, which were recorded by Sanket Mhatre.

The launch of Devara will be marked by a range of offline events in Delhi, Mumbai, and Bengaluru. These will allow gamers to experience themed activities and engage with other players. The events aim to celebrate the hero’s debut and strengthen the game’s connection with its Indian player community.

HOK Studio Expands Support for Indian Content Creators

HOK Plus 2.0 introduces new opportunities for content creators through HOK Studio. The new creator policy rewards content creators for strong performance and regional rankings. Selected creators can move into the HOK Advanced Creator Program and receive exclusive benefits. The company has also partnered with Live Insaan to support community growth. Players will soon be able to join influencer-led teams in the HOK India Influencer Team Tournament.

Honor of Kings is also bringing new activities to campuses and gaming cafes across India. The campus program will cover 32 colleges in four cities between July and September. Students will have opportunities to compete, create content, and engage with the community. The game will also organize Devara-themed 1v1 challenges at selected gaming cafés. Participants can earn rewards and compete for cash prizes and smartphone giveaways.

Revenant XSpark has qualified to represent India at the 2026 Asian Games Esports Qualifiers. The team claimed its place by winning the NESC 2026 LAN Grand Finals held in Pune. The competition in Kuala Lumpur brings together top teams from across the region. Successful teams will secure spots at the 20th Asian Games in Nagoya, Japan. Their qualification showcases the progress of India’s Honor of Kings esports ecosystem.

New Heroes, Gameplay Modes, and Quality-of-Life Improvements

There are new updates in Honor of Kings to enhance its gameplay through HOK Plus 2.0. The players can get familiar with Annette, Lorion, and Florentino in Arena of Valor. Users can discover Super Flow Brawl 2.0 and apply strategic thinking and gameplay mechanics in this mode. There are even certain events happening during the match to affect its flow.

June 27 marks the date of the Peak Day festival, where players in Honor of Kings will have various opportunities to get rewarded during the event. Participants in the event will be able to engage in specific activities, collaborations, and community events at the festival. There are limited-time vouchers and unique collectibles for the participants. The participants will have access to free heroes and bonuses at the festival.

Collaboration between LEGO and Koenigsegg built a vehicle that turns heads for all the right reasons. The two companies created a full-scale version of the Sadair’s Spear using LEGO Technic pieces, and the finished machine drives under its own power on real roads and courses.

Over 327,906 unique components went into this massive effort, which resulted in an automobile weighing a whopping 1800 kilos, despite the fact that the bricks themselves only accounted for about 400 kg. The long and laborious procedure came to a conclusion after almost 9,400 hours of work, when the team gave their approval and declared it ready for testing.

Sale

LEGO Technic Koenigsegg Jesko Absolut Grey Hypercar, Sports Car Building Set for Boys and Girls, Vehicle…

• A hypercar toy for kids ages 10 and up – This LEGO Technic Koenigsegg Jesko Absolut Grey Hypercar car building toy set for kids features authentic…
• Build the features of this sport car toy – Builders explore lots of engineering concepts as they assemble the articulated V8 engine and the…
• Realistic door design – The model features a dihedral synchro-helix door system, which allows the doors to rotate 90 degrees while moving outwards…

The entire car is built from the ground up on a lightweight body made of LEGO Technic pieces, while a custom-made chassis underneath handles all structural stresses and houses the electric motor and complex mechanisms that bring this cool car to life, and then there’s that one show-stopping feature we can’t get enough of. The car has a working Ghost Mode, a trick that the real hypercar does as well, in which the rear body portion lifts up, the dihedral synchro-helix doors swing out on their own, and the mirrors fold flat.

The next challenge came on the Goodwood hillclimb track in the United Kingdom. Markus Lundh, the test driver, drove the brick-built automobile up the famed incline in reverse configuration, reaching a high speed of 111 kilometers per hour, or 69 miles per hour in the United States. This figure more than twice the previous record for the fastest drivable LEGO car manufactured by the LEGO Group.

Markus said he had a great time driving the thing; it reminded him of the time he got the Sadair’s Spear to the top of that hill the year before, but when he took the LEGO version up, he was particularly impressed with the engineering that the Technic team did. The massive life-size creation corresponds with a new official 1:8 scale LEGO Technic model of the same car, which has 4,104 pieces and reproduces many of the same features, but at a scale that allows it to be displayed on a desk or shelf. The smaller counterpart also includes a working Ghost Mode sequence, a detailed V8 engine with moving parts, a 9-speed transmission that moves, and suspension at both ends.

CarPlay is seeing one of its biggest updates in years thanks to the upcoming release of iOS 27. Here are all the new features, including Siri AI and Apple TV apps.

At WWDC 2026, Apple officially unveiled its next version of iOS. The update, iOS 27, will be released in the fall of 2026 and is packed full of useful new features.

CarPlay, Apple’s in-car UI, is powered by iOS, so this new software will bring a bunch of enhancements to your car. This year, at least one major feature will require some serious automaker support.

Siri AI in CarPlay

Apple Intelligence seemed to occupy almost half of Apple’s WWDC keynote. A lot is going on, and a good portion of that is reflected in the car.

On phones that support Apple Intelligence, Siri will become Siri AI. That means Siri will be more capable and get a new look.

When you invoke Siri AI, it now has a dark, glassy orb at the bottom of your car’s display. It mimics the look of the new UI that lives in the Dynamic Island on iPhone.

New Siri AI orb in CarPlay with iOS 27

Siri is more conversational now, going back and forth with you as you ask questions and follow-ups. Apple’s digital assistant has more personal context, too.

While testing it, I could ask more complicated questions with multiple action items. As I left the house, I asked Siri to turn off the lights in the studio, get me directions to my son’s school, and text my wife my ETA.

All of your Siri conversations are saved in the new Siri app. It has the same icon as on iPhone, iPad, and Mac, and allows you to go back to the previous conversation you’ve had.

Those conversations also sync across your platforms via iCloud. So if I start a conversation in the car, I can pick it up on my iPad when I get to where I’m going.

New chat-style interface for apps with iOS 27 CarPlay

Advertisement

Along with the new Siri AI, Apple is allowing any app to offer up a conversation mode. This was previously limited to AI apps like ChatGPT or Perplexity.

The idea is that those apps could possibly tap into Apple Intelligence models and offer you the ability to chat, rather than use physical taps within the app.

If you had a pizza app, you could open it, tell the app what you wanted with your voice, which could build your order, give you a total, and submit it with an estimated pickup time. There’s a new UI element for this that hovers over the app’s contents.

Both first-party and third-party media apps will get upgrades thanks to iOS 27. This includes the Apple Music and Apple Podcasts apps.

Apple Music looks more organized and has a richer layout thanks to added media graphics. The big change, though, is the addition of the mini player.

New mini player in Podcasts and Apple Music apps with iOS 27 CarPlay

The new mini player sits in the top-right corner of the display when you have something playing. It minimizes, showing the album art and a play/pause button.

That way, while something is playing, you can browse the rest of the app while still retaining quick control of the current media.

Before, it would be two taps to get to the media if you weren’t on the “now playing” screen. You would have to tap the play icon in the top-right corner, then hit pause, which isn’t ideal if you’re driving.

A similar refresh comes to the Apple Podcasts app. It has a streamlined UI and a mini player.

That mini player is a new UI element that isn’t going to be exclusive to Apple apps. Apple has made it available to anyone who is creating media apps for CarPlay, and you can expect many of the popular streaming apps to adopt it.

Apple TV and video support for CarPlay

Another major change is video support. This is much more robust than what was previously included in iOS 26.

As part of iOS 26, Apple allowed apps to stream their content on a car’s infotainment system via AirPlay. It was only on supported cars that had to get approved through Apple’s MFi Program.

Grid of apps in the simulator with iOS 27

Now, Apple is allowing full, native video streaming applications as a new app category with iOS 27. AirPlay is still an option, but now you can browse and select content from the car’s interface, too.

I was able to test this out for myself using Apple’s new CarPlay simulator in Xcode. Apple is offering up initial support with the inclusion of the Apple TV app inside of CarPlay.

Apple TV app in CarPlay with iOS 27

There are several asterisks here. Automakers themselves still have to enable this, which means that we most likely will be waiting for that to happen.

When a vehicle does add support, it must be in park for any videos to play. That counts whether the content is started via AirPlay or a native video player.

Playing a video in CarPlay with iOS 27

Advertisement

One neat trick is that if you are watching a video and you move the car from park to drive, your video will automatically fall back to audio-only. That’s great for things like sports when you still want to follow along, even if you can’t watch it.

Other small changes for CarPlay in iOS 27

Aside from the big new features, there are a lot of other changes, tweaks, and optimizations Apple is rolling out to its in-car solution.

Wireless connection is now said to be more stable than before. Hopefully, that reduces the audio lag that can sometimes be present.

Navigation apps are now able to communicate with the car’s system. The idea behind this is that the car can see your route and suggest any changes.

The most obvious use case here is for EVs. If you put in a route, and your car realizes you only have so much battery remaining, it may propose the ideal charging station to add to the trip.

This whole back and forth is permission-based, so you must OK it before the communication happens, and you must OK any changes to the route. Otherwise, no information or route is shared with your car.

There are a few new icons with iOS 27. In Wi-Fi settings, if you use wireless CarPlay, there is a new CarPlay icon on the network to help identify it, and there is an updated battery icon system-wide.

New wallpapers in CarPlay with iOS 27

Advertisement

Finally, there are new wallpapers. Apple added 12 wallpapers for CarPlay in iOS 27, and they all have a similar swirl, like with the iOS 27 ones for iPhone, iPad, and Mac.

By going into the settings app, users can choose one of the new wallpapers that come in various colors.

CarPlay will be updated automatically when iOS 27 is released to the public.

from the ctrl-alt-speech dept

Ctrl-Alt-Speech is a weekly podcast about the latest news in online speech, from Mike Masnick and Everything in Moderation‘s Ben Whitelaw.

Subscribe now on Apple Podcasts, Overcast, Spotify, Pocket Casts, YouTube, or your podcast app of choice — or go straight to the RSS feed. To get extended episodes with additional coverage, support us on Patreon.

In this week’s roundup of the latest news in online speech, content moderation and internet regulation, Ben is joined by Jen Weedon, a T&S veteran of Meta and Niantic. She is currently consulting and teaching at Columbia school of International and Public Affairs. Together, Ben and Jen discuss:

And in the extended episode for Patreon supporters, they cover:

Our fun links this week are the How Alberta eradicated rats (Ben) and Mogwooooo’s Instagram account (Jen).

If you’re already a Patreon supporter, you can get the extended episode on Patreon.

Filed Under: age verification, ai, ai slop, artificial intelligence, content moderation, jen weedon, trust and safety, uk

Companies: anthropic, telegram