Vulnerability

If you are running Flowise and have not upgraded to version 3.0.6 of the npm package, you are likely already compromised — or actively being probed. Researchers at VulnCheck have confirmed that CVE-2025-59528, a CVSS 10.0 (maximum severity) code injection vulnerability in the open-source AI agent builder Flowise, has been under active exploitation for over six months. Between 12,000 and 15,000 publicly exposed Flowise instances remain unpatched as of the time of reporting, according to data shared with The Hacker News and BleepingComputer. ...

If you’re running Claude Code CLI in any CI/CD pipeline, stop what you’re doing and check your version. Right now. Three newly registered CVEs — CVE-2026-35020, CVE-2026-35021, and CVE-2026-35022 — are command injection flaws in Claude Code CLI that researchers at phoenix.security validated as exploitable on v2.1.91 as recently as April 3, 2026. They chain together to enable credential exfiltration over plain HTTP, and every one of them carries a CVSS score of 9.8 (Critical). On top of that, Anthropic shipped a separate patch on April 6 for a distinct high-severity deny-rule bypass — both security issues trace back to the same Claude Code source leak. ...

There’s a rule in computer security called Kerckhoffs’s Principle: a system must remain secure even if everything about it is public knowledge. Anthropic, a company that has staked its entire identity on being “safety first,” just shipped a product that violates that principle in a way that’s almost poetic in its mundaneness. Not through a zero-day exploit or a sophisticated attack chain. Through a performance shortcut. What Actually Happens Claude Code lets operators and users configure deny rules — a list of commands the agent is never allowed to run. You can say “never execute rm,” “never run curl,” “never touch /etc/.” It’s the primary mechanism for keeping an AI agent that has shell access to your machine from doing something catastrophic. ...

Anthropic’s accidental Claude Code source leak, first reported last week, has had a consequence that security researchers were quietly warning about: someone used the exposed code to find a real, critical vulnerability. This is distinct from the Vidar malware campaign that exploited brand confusion around the leak (also covered here previously). That was opportunistic social engineering — attackers leveraging the story of the leak to distribute malware. What SecurityWeek is reporting now is different: researchers with access to Claude Code’s 600,000-line codebase — exposed via npm source maps — used that access to conduct legitimate offensive security research and found a critical functional vulnerability. ...

If you’re running a self-hosted OpenClaw instance and haven’t patched in the last week, stop what you’re doing. Security researchers are using a phrase that should make any sysadmin’s stomach drop: “assume compromise.” That’s not alarmism. It’s a measured response to CVE-2026-33579 — a critical privilege escalation vulnerability in OpenClaw that was patched earlier this week, but not before potentially exposing thousands of installations to silent, undetectable admin takeover. What Is CVE-2026-33579? The vulnerability affects all versions of OpenClaw prior to v2026.3.28. Its CVSS score ranges from 8.1 to 9.8 depending on the metric used — squarely in the “critical” band. ...

Microsoft has disclosed CVE-2026-32211, a critical information disclosure vulnerability in Azure MCP Server with a CVSS 3.1 score of 9.1. If you run any Azure MCP Server deployment — and the number of organizations doing so has grown dramatically as agentic workloads moved into production — this one requires immediate attention. The short version: an unauthenticated attacker with network access can read sensitive data from your MCP server. No credentials needed. No prior foothold required. Just a network path and knowledge of the right request. ...

If you’re running OpenClaw on any version before 2026.3.28, stop reading and go update. Right now. We’ll be here when you get back. For everyone else: here’s what happened, why it’s serious, and exactly how to verify you’re protected against two freshly disclosed critical vulnerabilities: CVE-2026-33579 and CVE-2026-34426. What Are These Vulnerabilities? CVE-2026-33579 — Privilege Escalation via /pair approve (CVSS 8.1–9.8) This is the big one. Rated between 8.1 and 9.8 out of 10 on the CVSS scale, CVE-2026-33579 allows an attacker who holds operator.pairing scope — the lowest meaningful permission in an OpenClaw deployment — to silently approve device pairing requests that ask for operator.admin scope. ...

The open-source AI agent framework that conquered the internet in four months is now facing its most serious security reckoning yet. A comprehensive study published March 31 by Web3 security firm CertiK paints a stark picture: OpenClaw has accumulated over 100 CVEs and 280 security advisories since its release, with more than 135,000 internet-exposed instances actively leaking credentials — and a malware-infested skills marketplace that’s quietly targeting user wallets. The Architectural Problem Nobody Wanted to Talk About OpenClaw was originally designed for trusted local environments. You ran it on your laptop, it had access to your files and accounts, and that was fine because it was your machine. ...

Security researchers at Unit 42, Palo Alto Networks’ threat intelligence division, have disclosed a critical vulnerability in Google Cloud’s Vertex AI Agent Engine that allowed a misconfigured agent to operate as a “double agent” — appearing to perform its intended function while simultaneously exfiltrating customer data and Google’s own internal source code. The flaw was confirmed across multiple independent security sources and represents one of the most tangible examples yet of what happens when least-privilege principles are abandoned in the rush to deploy agentic AI infrastructure. ...

Security researcher Yarden Porat at Cyata published findings this week that should be required reading for anyone running CrewAI in production: four critical CVEs, chainable via prompt injection, that allow attackers to escape Docker sandboxes and execute arbitrary code on the host machine. CERT/CC issued advisory VU#221883. Patches are available. What Was Found Porat’s research identified four vulnerabilities in CrewAI that can be chained together: CVE-2026-2275 — The initial vector: a prompt injection flaw that allows malicious content in agent inputs to manipulate how CrewAI processes tool calls. Normally, tool calls are structured, validated operations. This CVE allows crafted input to make the framework treat attacker-controlled content as legitimate tool invocations. ...