Security

Security researchers dropped a cluster of critical findings today that should be on every agentic AI team’s radar. Vulnerabilities disclosed on March 17, 2026 affect three widely-used components of modern AI pipelines: Amazon Bedrock AgentCore, LangSmith, and SGLang — with the SGLang flaws scoring a maximum-tier 9.8 CVSS and allowing unauthenticated remote code execution. If your production agentic pipeline touches any of these systems, read this now. Amazon Bedrock: DNS Exfiltration Despite “No Network Access” BeyondTrust researchers revealed that Amazon Bedrock AgentCore’s Code Interpreter sandbox — marketed as network-isolated — actually permits outbound DNS queries. That’s a critical gap between what “no network access” implies and what it delivers. ...

The Model Context Protocol has had a remarkable adoption curve — from Anthropic specification to industry standard in under 18 months. But widespread MCP adoption has exposed a control gap that the ecosystem is now racing to address: how do you govern what AI agents can actually do once they have tool access? Enter the MCP Security Gateway — a new product category that’s emerging from multiple vendors simultaneously, with Gartner’s endorsement giving it enterprise credibility on day one. ...

The past week delivered one of the more ironic chapters in OpenClaw’s rapid rise: on the same day AWS rolled out a shiny one-click managed deployment on Amazon Lightsail, security researchers were busy counting the 17,500+ exposed instances sitting vulnerable to remote code execution. Welcome to the double-edged reality of viral open-source software at scale. The Good News: OpenClaw Is Now One-Click on Lightsail AWS responded to sustained customer demand by bundling OpenClaw into its Lightsail blueprint catalog — the same service that makes spinning up a WordPress blog feel trivially easy. The new blueprint ships with Amazon Bedrock pre-configured (defaulting to Claude Sonnet 4.6), automated IAM role creation via CloudShell script, and support for connecting via WhatsApp, Telegram, Slack, Discord, or web chat. ...

When Chrome ships a feature, it ships to roughly 3.4 billion browsers simultaneously. That’s what makes Chrome 146’s native Model Context Protocol (MCP) support such a significant — and potentially consequential — development for the agentic AI ecosystem. What WebMCP Actually Is MCP, for those who need the refresher: it’s Anthropic’s open protocol for connecting AI models to external tools and data sources in a standardized way. The “Web” prefix in WebMCP specifically means browser sessions — live, authenticated, cookie-bearing browser sessions. ...

CNCERT just flagged 135,000 publicly exposed OpenClaw instances. If yours is one of them, this guide is for you. The 2026 OpenClaw security advisory covers two CVEs and a systemic issue with weak default configurations. This guide walks you through the practical steps to harden your deployment — from critical patches to defense-in-depth practices that protect against prompt injection attacks. Time to complete: 30–60 minutes Applies to: All self-hosted OpenClaw deployments Urgency: High — patch the CVEs first ...

If you’re running a self-hosted OpenClaw instance — and odds are you are, given the platform’s explosive growth — today’s news from China’s National Computer Network Emergency Response Technical Team (CNCERT) is a wake-up call you shouldn’t scroll past. CNCERT has officially warned that OpenClaw’s default security configurations are dangerously weak, and the numbers behind that warning are staggering: over 135,000 public instances running with zero authentication. Two active CVEs. And a Chinese government ban on OpenClaw deployments in government systems. ...

Two hours. That’s how long it took an autonomous AI agent to crack open McKinsey’s internal AI assistant and walk out with 46 million chat messages, 728,000 confidential client files, and 57,000 user account records — all in plaintext. The breach wasn’t carried out by a human hacker manually probing endpoints. It was executed by an offensive AI agent deployed by CodeWall, a red-team security startup, as part of an authorized penetration test. The agent operated autonomously: it selected the target, identified the attack surface, and executed the breach without human intervention beyond the initial launch. ...

The headline number is uncomfortable: 87%. That’s the share of pull requests containing at least one security vulnerability when AI coding agents — Claude Code, OpenAI Codex, and Google Gemini — were used to build real applications from scratch. That’s the finding from DryRun Security’s inaugural Agentic Coding Security Report, published this week and already making waves through security and developer communities. This isn’t a synthetic benchmark. DryRun tested three leading AI coding agents building two real applications each, generating approximately five pull requests per agent. The result: 143 total vulnerabilities documented across 30 pull requests. Nearly nine out of ten PRs had at least one problem. The two leading failure modes were access control gaps and improper token handling. ...

OpenClaw v2026.3.8 dropped three days ago and it’s a release that’s easy to overlook if you’re only scanning headlines — but self-hosters should pay close attention. The headline addition is something the community has been quietly asking for since the early days: built-in backup commands. The Backup CLI: What’s New Before 3.8, backing up your OpenClaw configuration meant manually copying files and hoping you remembered everything. Now, the CLI handles it natively: ...

Anthropic has built its brand on safety. Claude is consistently positioned as the thoughtful, cautious model — the one that pushes back on dangerous requests, that thinks about consequences, that errs on the side of care. So the DryRun Security research published today will raise some eyebrows: when used as an agentic coding agent building real applications, Claude produces the highest number of unresolved high-severity security flaws among the leading AI coding agents tested. ...