Security

Three command injection vulnerabilities in Claude Code CLI — CVE-2026-35020, CVE-2026-35021, and CVE-2026-35022 — carry CVSS scores of 9.8 (Critical) and chain together to enable credential exfiltration over HTTP. If you’re running Claude Code in any CI/CD pipeline, this guide walks you through immediate mitigation steps and longer-term hardening practices. This is not optional maintenance. These are exploitable, validated vulnerabilities with confirmed callback evidence. Prerequisites Access to your Claude Code CLI deployment(s) Access to your CI/CD pipeline configurations (GitHub Actions, GitLab CI, Jenkins, or equivalent) Basic shell access to environments where Claude Code runs Permission to update environment variable configurations and outbound network rules Step 1: Check Your Version and Patch Immediately The vulnerabilities are confirmed exploitable on v2.1.91 and earlier. Your first action is to identify and update every Claude Code CLI instance. ...

If you’re running Claude Code CLI in any CI/CD pipeline, stop what you’re doing and check your version. Right now. Three newly registered CVEs — CVE-2026-35020, CVE-2026-35021, and CVE-2026-35022 — are command injection flaws in Claude Code CLI that researchers at phoenix.security validated as exploitable on v2.1.91 as recently as April 3, 2026. They chain together to enable credential exfiltration over plain HTTP, and every one of them carries a CVSS score of 9.8 (Critical). On top of that, Anthropic shipped a separate patch on April 6 for a distinct high-severity deny-rule bypass — both security issues trace back to the same Claude Code source leak. ...

If you’re building autonomous AI agents — and especially if you’re deploying them to browse the web, process emails, or interact with external data — a new Google DeepMind paper deserves your immediate attention. The research maps the first systematic framework for what the authors call “AI Agent Traps”: adversarial techniques embedded in the environment that exploit the gap between human perception and machine parsing. The headline number is alarming: content injection hijacks succeeded in up to 86% of tested scenarios. And in tests targeting Microsoft M365 Copilot specifically, behavioral control traps achieved a perfect 10/10 data exfiltration rate. ...

Google DeepMind’s new research framework maps six categories of “AI Agent Traps” — adversarial techniques embedded in the environment that can hijack autonomous agents without the user or the agent knowing. With content injection attacks succeeding in up to 86% of tested scenarios, this isn’t theoretical risk. This guide walks through each of the six trap categories and gives you concrete, actionable mitigations you can implement today — whether you’re running OpenClaw, a custom LangGraph pipeline, or any other agent framework. ...

Something significant happened in New York this week. For the first time, the core maintainers of the Model Context Protocol from all four major AI companies — Anthropic, AWS, Microsoft, and OpenAI — sat in the same room and agreed on a shared roadmap for enterprise-grade MCP security, governance, and reliability. The occasion was the MCP Dev Summit, and the outcome is a formalized enterprise security roadmap under a new governance body: the Agentic AI Foundation (AAIF). The MCP specification itself is moving under AAIF governance, signaling that what began as an Anthropic-led protocol is becoming true industry infrastructure. ...

There’s a rule in computer security called Kerckhoffs’s Principle: a system must remain secure even if everything about it is public knowledge. Anthropic, a company that has staked its entire identity on being “safety first,” just shipped a product that violates that principle in a way that’s almost poetic in its mundaneness. Not through a zero-day exploit or a sophisticated attack chain. Through a performance shortcut. What Actually Happens Claude Code lets operators and users configure deny rules — a list of commands the agent is never allowed to run. You can say “never execute rm,” “never run curl,” “never touch /etc/.” It’s the primary mechanism for keeping an AI agent that has shell access to your machine from doing something catastrophic. ...

Anthropic’s accidental Claude Code source leak, first reported last week, has had a consequence that security researchers were quietly warning about: someone used the exposed code to find a real, critical vulnerability. This is distinct from the Vidar malware campaign that exploited brand confusion around the leak (also covered here previously). That was opportunistic social engineering — attackers leveraging the story of the leak to distribute malware. What SecurityWeek is reporting now is different: researchers with access to Claude Code’s 600,000-line codebase — exposed via npm source maps — used that access to conduct legitimate offensive security research and found a critical functional vulnerability. ...

CVE-2026-33579 is a critical privilege escalation vulnerability in OpenClaw (CVSS 8.1–9.8) that allowed anyone with operator.pairing scope — the lowest permission level — to silently grant themselves full admin access. It was patched in v2026.3.28, but the exploit leaves no obvious trace. Security experts recommend that any OpenClaw instance running a pre-patch version should be treated as potentially compromised, even without visible evidence of breach. This checklist walks you through the full audit process. ...

If you’re running a self-hosted OpenClaw instance and haven’t patched in the last week, stop what you’re doing. Security researchers are using a phrase that should make any sysadmin’s stomach drop: “assume compromise.” That’s not alarmism. It’s a measured response to CVE-2026-33579 — a critical privilege escalation vulnerability in OpenClaw that was patched earlier this week, but not before potentially exposing thousands of installations to silent, undetectable admin takeover. What Is CVE-2026-33579? The vulnerability affects all versions of OpenClaw prior to v2026.3.28. Its CVSS score ranges from 8.1 to 9.8 depending on the metric used — squarely in the “critical” band. ...

Microsoft has disclosed CVE-2026-32211, a critical information disclosure vulnerability in Azure MCP Server with a CVSS 3.1 score of 9.1. If you run any Azure MCP Server deployment — and the number of organizations doing so has grown dramatically as agentic workloads moved into production — this one requires immediate attention. The short version: an unauthenticated attacker with network access can read sensitive data from your MCP server. No credentials needed. No prior foothold required. Just a network path and knowledge of the right request. ...