After criticizing a startup called Artisan for misusing his work, artist KC Green — creator of the famous “This is fine” meme — said he’s reached an agreement with Artisan. 

The dispute arose after the startup appeared to use a version of Green’s art to promote its AI assistant Ava. In Artisan’s bus and subway ads, Green’s recognizable dog sat amid recognizable flames, but instead of saying “This is fine,” it declared, “My pipeline is on fire,” while the ad urged people to “Hire Ava the AI BDR.”

Earlier this month, Green posted on social media that his art had been “stolen like AI steals” and urged his followers to “vandalize” the ads if they saw them. He also told TechCrunch he was frustrated about having to “try my hand at the American court system” instead of putting that time into his comics.

Artisan, meanwhile, told us it has “a lot of respect for Green and his work.” Then, earlier this week, founder and CEO Jaspar Carmichael-Jack said the two sides had come to an agreement.

When TechCrunch reached out to Green, he confirmed that they’d “reached a settlement pretty quick,” with Artisan taking down the ads in New York and San Francisco that used his character, and Green taking down his initial post.

In 2024, researchers from the University of Illinois found that GPT-4, when provided with a common vulnerabilities and exposures (CVE) description, could autonomously exploit 87% of a curated 15-vulnerability one-day dataset. Without the description, it could only exploit 7%. This provided a “margin of safety” for the industry because while AI could exploit known vulnerabilities, it could not discover them.

However, on April 7, Anthropic announced that Claude Mythos Preview had closed that margin, with the model autonomously discovering thousands of zero-day vulnerabilities across major operating systems and browsers. Separately, Mythos scored 83.1% on the CyberGym vulnerability reproduction benchmark. In one campaign targeting OpenBSD across 1,000 scaffold runs, the total compute cost was less than $20,000.

Exploitation timelines are collapsing. Langflow’s CVE-2026-33017 (CVSS 9.8) was exploited 20 hours after disclosure with no public proof-of-concept. Marimo’s CVE-2026-39987 (CVSS 9.3) was hit in 9 hours and 41 minutes.

The defensive infrastructure most organizations rely on wasn’t designed for this. Rapid7’s 2026 threat landscape report states that the median time from CVE publication to CISA’s known exploited vulnerabilities (KEV) listing is five days. Google’s M-Trends 2026 report found that exploitation is happening before a patch is even released. When the Langflow advisory was published, the first exploit arrived in 20 hours. When the Marimo advisory was published, it took under 10 hours.

The assumption that your patch window is safe because exploitation takes time is no longer true. Here are your building blocks.

Replace CVSS-only prioritization with a three-layer filter

Most vulnerability management programs still prioritize by CVSS score alone. CVSS quantifies a vulnerability’s “theoretical” severity without considering whether a vulnerability is being exploited in the wild or how quickly someone could weaponize it. A CVSS 8.8 vulnerability with a history of active exploitation (like Docker’s CVE-2026-34040) gets lower priority than a CVSS 9.8 vulnerability that may never be exploited in the wild.

A recent study validated against 28,377 real-world vulnerabilities offers a concrete replacement: A three-layer decision tree incorporating CISA KEV status, Exploit Prediction Scoring System (EPSS) scores, and CVSS, thus forming a singular prioritization filter.

Three-Layer Vulnerability Prioritization Filter

Validated result: 18x efficiency gain, 85.6% coverage of exploited vulnerabilities, ~95% reduction in urgent remediation workload. All three data sources are open and free.

The described integration is entirely automatable. It’s possible to build a script to query the CISA KEV API, the EPSS API from FIRST.org, and the NVD, and have that script run against your asset inventory for every published CVE. The human in this process should remain in the loop as an approver, but not as the trigger.

Close the agent authorization gap

Creating exploits quickly not only changes how patches are prioritized, but how controls are configured for all the agent-driven systems that now possess privileged credentials. Your authorization policies have not been assessed against the behavior of AI agents, and that is now a measurable risk. CVE-2026-34040 showed that Docker’s authorization plugin architecture silently bypasses every plugin when the request body exceeds 1MB. Common AuthZ plugins (OPA, Casbin, Prisma Cloud) are unaware of this type of bypass, which occurs in Docker’s middleware before the request reaches the plugin.

When Cyera demonstrated this vulnerability, they showed that an AI agent debugging infrastructure could infer the bypass path while completing a legitimate task, without any instruction to exploit anything.

The Internet Engineering Task Force (IETF) is working on authorization models for agents. The document draft-klrc-aiagent-auth-01, published in March by participants from AWS, Zscaler, Ping Identity, and OpenAI, proposes the use of the current Secure Production Identity Framework for Everyone (SPIFFE) and OAuth 2.0 for AI agents to obtain dynamically provisioned and short-lived credentials.

Separately, the IETF Agent Identity Protocol draft (draft-prakash-aip-00) reports that out of about 2,000 surveyed model context protocol (MCP) servers, none had authentication.

But these standards are months to years away from implementation. For now, security teams must proactively incorporate agent-level test scenarios for all authorization boundaries, such as oversized requests, burst frequency, and multi-step escalation of privileged requests.

Map your credential blast radius

In a survey conducted by CSA/Zenity and published on April 16, 53% of organizations said they had already seen cases where AI agents exceeded their intended permissions, and 47% experienced a security incident involving an agent.

When AI builder tools such as Flowise (CVE-2025-59528, CVSS 10.0), Langflow, or n8n become compromised, the blast radius extends far beyond the host. These tools contain API keys to frontier models, database credentials, vector store tokens, and OAuth tokens to business systems. A compromised AI builder host is not just a single-system breach. It is a credential harvest that unlocks authenticated access to every connected service.

Without credential dependency maps for each AI tool host, incident response for agent compromise is guesswork. For every instance, document each credential, the extent of its access, and the relevant credential rotation process. Also begin migrating static API keys to short-lived tokens where downstream services allow.

Five actions for this quarter

1. Deploy the three-layer KEV-EPSS-CVSS filter

Substitute CVSS-only prioritization according to the table above. Automate the collection of data from all three APIs as part of a scheduled script against your asset inventory. Desired outcome: 18 times more efficient, 85.6% coverage of exploited vulnerabilities, 95% reduction in urgent remediation workload.

2. Implement event-driven patching for Tier 0 services.

Determine which services fall under the critical exposure tier: Services exposed directly to internet users, AI builder hosts, and container orchestration control plane. Trigger event-driven patching on a CVE publication instead of waiting for the next maintenance window for this tier.

Goal: deploy patch to canary within four hours of a CVE being declared critical. Use the CISA KEV and EPSS feeds to trigger event-driven patching. In situations where it is impossible to meet the goal of four-hour patching because of legacy dependencies, change-freeze windows, or rollback risk, immediately apply compensating controls such as removing internet exposure to the vulnerable service, rotating credentials for the vulnerable service, disabling affected functionality of the service (if applicable), and identifying an exception owner for the exposure until a patch can be deployed.

It is not acceptable to allow unbounded exposures for extended periods while awaiting a maintenance window.

3. Test authorization boundaries at agent scale.

Create test cases for every API that AI agents may communicate with via AuthZ policies. Specifically, include test cases for requests exceeding 1MB, 5MB, and 10MB body sizes. This includes test cases for burst rate > 100 requests per second and test cases for unusual parameter combinations (privileged flags, host mounts, capability additions). Additionally, patch to Docker Engine 29.3.1 to fix CVE-2026-34040.

4. Credential blast radius mapping for all AI builder hosts.

Document each credential for each Langflow, Flowise, n8n, and custom AI pipeline instance. Classify each credential by its lifespan (static key vs. short-lived token). Identify what each credential can access. Set up alerts for anomalous IP or identity for any credential access.

5. Shadow AI discovery scan for this week.

According to CSA data, there is a greater than 50% chance that your agents have exceeded their expected boundaries. Check your Security Information and Event Management (SIEM) and network monitoring tools for communications to the default ports of the AI builder: Langflow 7860, Flowise 3000, and n8n 5678. Any unauthorized instances are an unmonitored attack surface.

The takeaway

AI agents are emerging, and the standards bodies are responding. The IETF has multiple drafts related to agent authentication and authorization. The Coalition for Secure AI has published its MCP Security taxonomy and Secure-by-Design principles.

But these standards move at standards-body speed, and the exploit window is now measured in hours. Organizations that implement the three-layer filter and event-driven patching this quarter will have a measurable reduction in exposure. Those who wait will be running calendar-based patch cycles against an adversary that operates in less than 20 hours. 

Nik Kale is a principal engineer specializing in enterprise AI platforms and security

Welcome to the VentureBeat community!

Our guest posting program is where technical experts share insights and provide neutral, non-vested deep dives on AI, data infrastructure, cybersecurity and other cutting-edge technologies shaping the future of enterprise.

Read more from our guest post program — and check out our guidelines if you’re interested in contributing an article of your own!

The Apple smart glasses with cameras and no heads-up display have been rumored for the end of 2026, but could now come at the end of 2027 instead. Though that’s not the whole story.

Rumors about Apple’s smart glasses effort have been increasing in frequency since 2024, but primarily from a single source. One other highly accurate source that has been in play since 2023 has offered a differing timeline, until now.

According to the Bloomberg newsletter “Power On,” Apple is pushing back its smart glasses release to late 2027 after hitting some development snags. While Mark Gurman didn’t offer his usual derogatory pile-on of Apple’s internal struggles, the timeline shift comes as a bit of a surprise.

His initial reports in 2024 around the latest codenamed N50 glasses suggested a 2027 launch window. He later suggested in January 2025 that Apple smart glasses development had hit “massive hurdles” that could take years to get past.

In May 2025, Gurman shared that Apple was aiming for a late 2026 launch window that has been repeated frequently by him since.

He’s also been clear that Apple smart glasses don’t have an AR display, and those would arrive much later. Now, Gurman has been repeating “by the end of the decade,” which, given it is 2026, isn’t exactly that far away.

As recently as February and April 2026, Gurman has repeated that late 2026 release timeline. What is unusual is that there was never any hint of a potential delay or struggle to get the glasses to mass production.

iPhone Fold rumors continue to push for a fall release in spite of repeated production issues

Advertisement

Then comes today’s report shifting the release back an entire year. Also in this report is information about the potential design aspects of the smart glasses.

It seems Apple will try to stand out with unique design elements like “oval-shaped cameras, unique colors, and multiple frame styles.” Apple allegedly also believes future iterations could be seen as a health device that could include AR features that help people see.

Meanwhile, Apple has seemingly run into repeated problems getting iPhone Fold to mass production, which hasn’t started, yet it still reportedly isn’t being pushed back.

So, it seems odd that Apple’s timeline would suddenly shift around 8 months out from announcing the product. But then there’s the other leaker’s timeline.

Enter Ming-Chi Kuo

The other leaker I mentioned earlier is Ming-Chi Kuo, and he has been much more reserved in his leaking frequency on Apple smart glasses. While his history is hit and miss, the details he gets right are enough to have earned him quite the respect in the field.

Apple’s rumored AR glasses have been discussed for years

However, I will note that his accuracy and resources seemed to have dropped since he shifted to his social-media-based leaking patterns of today.

Apple’s AR and VR efforts have been seeing consistent leaks since as early as 2015, but the most recent iteration was discussed by Kuo in 2021. Then, his report was much more forward-looking and thus, wholly inaccurate.

I mean, the man called for Apple Vision Pro in 2022, full-AR Apple Glass in 2025, and AR contact lenses by 2030. It is a wild report in retrospect.

Jump forward to something a little less speculative, and his reporting has been consistent with the Apple smart glasses release window. In June 2025, Kuo reported that Apple was aiming to ship three to five million Meta Ray-Ban-like smart glasses in the second quarter of 2027.

Given Kuo’s strong suit is the supply chain and the fact that he had shipping estimates, it is easy to argue that he’s had the correct timeline all along. So, it is curious that Gurman has been saying late 2026 or early 2027 until today.

Game of leaks

Of course, all of these rumors are nebulous and will always shift and move as new information is obtained. Accuracy isn’t always easy to determine too since the age of a leak once it is released is rarely known.

Apple Vision Pro is the start of Apple’s work in the wearable AR/VR field

For example, Kuo might have heard from the supply chain that Apple’s supply-side management aimed for an initial order in 2027. Gurman might have heard from his internal source, likely on or near the Vision Product Group, that the internal team’s goals were the end of 2026.

Then, as deadlines were missed and supply chains shifted, the internal team finally realized that their stretch goal wasn’t possible. Which means shifting back to the supply-chain suggested goal of 2027, thus making them meet Kuo’s previously reported timeline.

In essence, both leakers could have accurately reported what they had heard, and both be correct in this instance. Then there’s also the chance they’re both wrong and Apple announces smart glasses at a completely different time.

However, Gurman has proven somewhat unreliable when it comes to reporting around the Vision Product Group. As Daring Fireball pointed out, Gurman completely missed the Apple Vision Pro update to M5 when he reported in January 2025 that “I don’t believe there will be a new headset from Apple this year.”

Then, later in April 2025, Gurman said a lighter Apple Vision product could ship by the end of 2025 or early 2026 and even suggested that the M5 refresh had been abandoned. The unchanged M5 model shipped in October 2025 instead.

There is no doubt that Gurman has some insider connections that give him unprecedented access into Apple’s inner workings. However, it is important to note that he is no foolproof and does make mistakes — often when trying to create a narrative around an otherwise innocuous leak.

visionOS 27 could hint at Apple’s future AR plans

Advertisement

WWDC is on June 8 and could provide a hint of what the rest of Apple’s year might look like. However, since the initial set of Apple Smart Glasses won’t have a display, there is unlikely to be any sign of them in visionOS 27.

Then there’s the fact that Apple has several glasses-related products in development beyond the N50. Several of which, we have no idea what they are or when they could release.

There’s always the chance that one set is coming at the end of 2026 and another in 2027. Apple’s supply chain is immense and these leakers may be describing different parts of different elephants.

Time will tell if the smart glasses will arrive in the next twelve months. In this case, I’d bet on Kuo’s initial report of a late 2027 launch until he says otherwise.

Watch USA vs Senegal live streams to see if the 2026 World Cup co-hosts can get back to winning ways after two straight defeats. However, it won’t be easy against The Lions of Teranga, who have a point to prove after being controversially stripped of the African Cup of Nations title.

USA manager Mauricio Pochettino made it clear he wanted to test his side against the top teams in the world. So far, it hasn’t gone to plan as they were thrashed 5-2 by Belgium and then lost 2-0 to Portugal. Having been defeated by two European powerhouses, he’ll hope his side can build some confidence by overcoming one of the strongest nations in Africa.

When Apple launched the Apple Watch in 2015, the mid-tier wristwatch market had a handful of dominant companies. Swatch Group sold watches under Tissot, Hamilton, and Longines. Fossil Group sold under Michael Kors, Armani, and Kate Spade. Movado sold under Coach, Hugo Boss, and Tommy Hilfiger.

Ten years later, the damage is quantifiable. Swatch’s revenue is 28% lower in 2025 than it was in 2014. Fossil’s sales dropped roughly 70%. Apple became the world’s largest watchmaker by unit volume within a few years and last year overtook Rolex as the number one watch brand by revenue. The Apple Watch now generates an estimated $17 billion annually.

Bloomberg’s Mark Gurman reports that Apple is planning the same playbook for glasses. The company sees the $200 billion global eyewear market as a bigger opportunity than watches and intends to compete directly with products sold between $200 and $500, a segment dominated by EssilorLuxottica (Ray-Ban, Oakley, Persol, Oliver Peoples), Safilo Group (Tommy Hilfiger, Hugo Boss), and Warby Parker.

The addressable market is staggering. The WHO estimates 2.2 billion people globally have some form of vision impairment. Hundreds of millions of pairs of glasses are sold each year. Apple believes its brand, industrial design, iPhone integration, and AI features will lead people seeking new regular glasses to buy an Apple pair instead.

The first Apple glasses, codenamed N50, were initially planned for late 2026 with shipping by early 2027. Delays have pushed the timeline to a launch at the end of 2027, Gurman reports. The product will use oval-shaped cameras, unique colours, and multiple frame styles. Over time, Apple believes the glasses could become a health device and eventually incorporate augmented reality.

Meta has a substantial head start. It sold more than seven million Ray-Ban smart glasses in 2025 and commands roughly 82% of the smart glasses market. It has retail partnerships with LensCrafters and is steadily rolling out new models, with more coming in June. Meta also leads on AI features and has the advantage of working with Android, which remains larger than iOS globally.

Apple’s historical refusal to support Android gives Meta an opportunity to own that side of the market permanently. Ironically, Apple’s entry could benefit Meta by generating broader consumer excitement about smart glasses, with Android users then steered toward Meta’s models.

Meta is also expanding its wearables strategy beyond glasses. A leaked internal memo this week confirmed the company is developing an AI pendant and a “Wearables for Work” enterprise subscription. The competitive landscape is widening before Apple’s product even ships.

The risk for Apple is timing. Every month of delay gives Meta more users, more retail presence, and more data on what consumers want from smart glasses. The product depends on a revamped Siri that has already been delayed for two years. The new Siri app in iOS 27 may still launch as a beta.

Tim Cook has described the glasses as his top priority. Incoming CEO John Ternus is the driving force behind the project. The Vision Products Group developing the glasses has operated under his leadership for the past two years. The support from Apple’s highest levels is not in question. The execution timeline is.

Not all eyewear companies need to worry. High-fashion brands selling glasses for thousands of dollars, names like Cartier, Lindberg, Jacques Marie Mage, and Maison Bonnet, will likely continue to thrive. Apple never had a meaningful impact on the luxury watch market despite its attempt at $10,000 gold Apple Watches. Rolex generated an estimated $14 billion in revenue last year, more than double its sales from a decade earlier.

The target is the mass market, not the luxury segment. Apple is going after EssilorLuxottica, Safilo, and Warby Parker the way it went after Swatch, Fossil, and Movado. The pattern is clear: enter an established consumer product market, offer something that integrates with the iPhone, and wait for the incumbents’ revenue to decline.

Apple’s Watch business is itself facing new competitive pressure from screenless wearables like Whoop, Oura, and Google’s Fitbit Air. The company needs a new hardware growth category. Glasses, if executed well, could be it. The addressable market is not millions of users. It is billions.

Gurman also reported that iOS 27’s Siri app will sync conversations across devices via iCloud. Early work on iOS 28 (codenamed Bell) and macOS 28 (codenamed Poppy) has begun, with next year’s releases expected to be “far more significant” than the iOS 27 updates. A new Apple TV set-top box and HomePod mini are nearly ready, having been delayed for months to launch alongside the new Siri.

Welcome back to TechCrunch Mobility, your hub for the future of transportation and now, more than ever, how AI is playing a part. To get this in your inbox, sign up here for free — just click TechCrunch Mobility!

If you’re into EVs or sports cars, then you surely saw the kerfuffle over Ferrari’s first all-electric car, the Luce. The reaction was swift and biting for the five-seater EV designed by Apple veteran Jony Ive and priced at close to $650,000.

Ferrari fans expressed horror, critics compared it to the far cheaper Nissan Leaf, memes were made, and even one car designer (Lucid’s Derek Jenkins) threw some shade.

Senior reporter Sean O’Kane asked a different question as the great Ferrari Luce debate blew up the internet: Who is the Luce for?

You’ll have to read the full story to get his complete breakdown. But in my view, the most important question is whether the Luce is for existing Ferrari owners. After all, Ferrari owners often possess more than one. More than 80% of the 14,000 people who bought a Ferrari last year already own one of its vehicles, O’Kane notes.

According to Ferrari, there is demand for the EV. Ferrari CEO Benedetto Vigna claims the Luce is already getting orders from old and new customers. Assuming that demand outstrips the number of Luce EVs that the automaker plans to make, the next question is, who will Ferrari pick? (IYKYK)

Ferrari could be vindicated. Remember the Ferrari Purosangue, which was widely panned when it launched several years ago? That SUV is now considered a success. Sometimes it doesn’t matter if a product is hated. Ferrari doesn’t need universal approval; it just needs enough buyers.

Let’s jump from EVs to AVs.

A new Texas law allows its Department of Motor Vehicles agency to exert more control over autonomous vehicle testing and deployment in the state. Companies must now license AVs in the state, and the data is public. Here’s what I found after spending a little time with the AV tracker tool. 

Waymo is far and away the leader with 577 registered AVs, followed by Avride with 317, Nuro with 47, and Tesla with 42. Self-driving truck companies Aurora, Gatik AI, Kodiak AI, and Waabi can also be found. (For all the details, you can read my story.)

Fleet size is just one measure — and it certainly doesn’t always translate into whoever has the most wins. After all, many of these companies have not launched commercial services in the state.

I’m far more interested in the complaints feature on this new tool, which is also public record. As of today, complaints have not been filed against the companies listed above.

Deals!

A new single asset fund managed by Equip Capital has taken a majority stake in European e-scooter operator Ryde Technology. Goldman Sachs Alternatives is the lead investor. 

Harley-Davidson’s electric motorbike spinoff LiveWire acquired electric off-road startup Dust Moto. Terms of the deal were not disclosed. 

Matternet, an autonomous drone delivery company, raised $33 million in a private placement offering and completed a reverse merger with Los Altos Ventures Corp.

Revel, the EV charging company that shuttered its ride-hailing business last August, is merging with Voltera. Terms of the deal were not disclosed, but the combined business will operate under the Voltera brand and will be led by Revel CEO Frank Reig, Bloomberg reported. 

Stark, a German drone maker, is in talks to raise at least €300 million ($350 million), a round that could double its valuation to €2.5 billion, the Financial Times reported.

Volara Motorsports Group, a motorsports and performance-focused holding company, acquired Lynx Motor Works, an Austin, Texas-based company that makes limited-production, reimagined classic vehicles.

WeRoad, the Milan-based group adventure travel startup, raised $58 million in a Series C round led by Airbnb. The funding brings the company’s total capital raised to roughly $100 million and will finance WeRoad’s push into the U.S., beginning with Austin.

Notable reads and other tidbits

American Airlines will install Starlink on more than 500 narrow-body Airbus aircraft beginning early next year, the latest carrier to pick the SpaceX unit for in-flight Wi-Fi service. The deal provides a financial lift for Starlink, the satellite communications network and the only SpaceX business unit that generates meaningful revenue.

Rivian said it will begin deliveries of its new R2 SUV on June 9. Meanwhile, Rivian is being investigated by the National Highway Traffic Safety Administration over how the EV maker services its vehicles’ rear suspension components. 

Slate Auto is expected to announce pricing and start taking nonrefundable preorders for its low-cost electric vehicle on June 24. Deliveries are supposed to happen later this year. 

Volvo Cars received a specification authorization by the Commerce Department that allows the Swedish automaker, which is majority owned by China’s Geely Holding, to continue to import and sell its vehicles in the United States. A law, finalized in January 2025, effectively bans virtually all Chinese vehicles from the U.S. market as part of a crackdown on connected car technology with ties to China. 

Waymo has started giving select riders in Los Angeles, Phoenix, and San Francisco access to its newest robotaxi: an all-electric, minivan-like vehicle that is designed to lower costs and handle the use and abuse of hundreds of thousands of riders. I had a chance to ride in the vehicle, a modified Zeekr-made minivan called the Ojai (pronounced oh-hi). Stay tuned for my full review, which will run this weekend. Here’s a teaser: Robotaxis have long suffered from a magic problem. This Ojai robotaxi starts to solve it.

One more thing …

It’s poll time! Maybe you secretly like the Ferrari Luce and just don’t want to get trolled. Maybe you hate it. We asked our newsletter readers to share their opinion.

Sign up for the Mobility newsletter to participate in our polls!

And now one more thing, for real this time. Last week, I asked our newsletter readers, “Will SpaceX and Tesla merge?” Here’s how they answered. More than 51% selected “Yes, within two years”; 34% picked “never”; and 14.5% chose “Yes, this year.” That means more than 65% believe a merger is inevitable.