CVE-2026-33032 is a CVSS 9.8 authentication bypass in nginx-ui’s Model Context Protocol (MCP) endpoint, actively exploited in the wild right now. This guide walks you through checking your exposure, assessing impact, and patching — in that order. Time to complete: 10–20 minutes Risk if you skip: Full nginx server takeover without authentication Patched version: nginx-ui 2.3.4+ Step 1: Check Your nginx-ui Version nginx-ui --version Or check the installed package version: ...

OpenAI isn’t just building models anymore — it’s building the full stack to deploy them. Today the company announced the next evolution of its Agents SDK, shipping three capabilities that enterprise teams have been waiting for: sandboxed execution, a frontier model harness, and a suite of safety features designed to make agents actually safe to run in production. What’s New in the Agents SDK Sandboxed Execution The headline feature is sandboxed execution — isolated workspace environments that give agents access to files and code without letting them touch anything they shouldn’t. Each agent operates in a siloed context: it can read and write within its designated workspace, execute code, and use its assigned tools, but it cannot reach outside that boundary into other systems or workspaces. ...

OpenClaw shipped version 2026.4.14 yesterday, and the community reception has been immediate and positive. With over 80 bugs resolved, targeted GPT-5.4 routing improvements, and notable Slack security hardening, this release is being called a “production-ready milestone” by practitioners who’ve been running OpenClaw in demanding environments. The GPT-5.4 Routing Fix The most talked-about change in this release: smarter GPT-5.4 routing and recovery. Previous versions had a frustrating failure mode — when GPT-5.4 returned reasoning-only responses (a consequence of its extended thinking chains), OpenClaw would sometimes surface those empty outputs to users instead of recovering gracefully. ...

Anthropic just shipped a ground-up redesign of the Claude Code desktop app — and it’s not a cosmetic refresh. The new app is built around a fundamentally different mental model of how developers work with AI agents: not one task at a time, but many tasks in parallel, with you in the orchestrator seat. If you’ve been bouncing between terminal windows, your editor, and the Claude web UI, this redesign was built specifically for you. ...

GitHub just made a quiet but significant move: model selection is now available for Claude and Codex third-party coding agents on github.com. If you’re using Claude or Codex as your coding agent inside GitHub, you can now choose which underlying model powers the agent when you kick off a task — the same experience already available for GitHub’s native Copilot cloud agent. It’s a small UI change with large implications. GitHub is accelerating its pivot to being a model-agnostic multi-agent coding platform — a layer where you bring your AI of choice, not the one GitHub picks for you. ...

The gap between AI that thinks and AI that moves is closing fast. On April 14, 2026, Google DeepMind released Gemini Robotics-ER 1.6 — a significant upgrade to its embodied reasoning model — and Boston Dynamics announced the same day that it’s already running it on Spot robots for fully autonomous industrial inspections. That’s not a research demo. That’s deployment. What Gemini Robotics-ER 1.6 Adds Gemini Robotics-ER (ER = Embodied Reasoning) is Google DeepMind’s model designed specifically for robots and physical AI systems that need to understand and navigate real-world environments. Version 1.6 delivers two headline capabilities: ...

The AI cybersecurity arms race just got a lot more official. On April 14, 2026, OpenAI announced GPT-5.4-Cyber — a fine-tuned variant of GPT-5.4 built specifically for defensive cybersecurity work, available exclusively to vetted defenders through a new restricted-access program called Trusted Access for Cyber (TAC). This isn’t a subtle product update. It’s a direct and deliberate response to Anthropic’s Claude Mythos Preview release the week prior — a model Anthropic kept out of general availability specifically because of its potential for abuse by threat actors. OpenAI’s counter-move: stake out the “guardrails-first” lane and argue that today’s safeguards are already sufficient, while simultaneously releasing a cyber-permissive model for the defenders who need it most. ...

Something significant happened in enterprise security on April 14, 2026 that didn’t get nearly enough attention in the AI news cycle: Palo Alto Networks officially closed its acquisition of Koi Security, valued at up to approximately $400M. The deal was first announced in February; the close marks the formal birth of a new enterprise security category — Agentic Endpoint Security. And in the official press releases, Palo Alto named names. Claude Code and OpenClaw were cited explicitly as the primary attack surface drivers making this category necessary. ...

Anthropic just made it significantly easier to run agentic automations without babysitting them. Claude Code Routines, now live in research preview, lets you configure a Claude Code automation once — prompt, repo, connectors — and run it on a schedule, via API call, or in response to a GitHub event. The killer feature: it runs on Anthropic-managed cloud infrastructure. Your laptop doesn’t need to be open. This matters. Until now, if you wanted scheduled Claude Code automations, you were piecing together cron jobs, MCP servers, and your own infrastructure. Routines abstracts all of that away. ...

Cloudflare’s “Agents Week” is delivering. Today, the company dropped two substantive announcements that together sketch out what enterprise-grade MCP infrastructure actually looks like in production: a reference architecture for governing MCP at scale, and Managed OAuth for Cloudflare Access that lets agents authenticate into internal apps without service accounts. This isn’t marketing fluff — Cloudflare is sharing their own internal strategy for how they’ve rolled out MCP across non-engineering teams (product, sales, marketing, finance). That’s the kind of practitioner credibility that makes an architecture post worth reading. ...