Last week’s roundup covered Vercel’s breach through a compromised AI tool, n8n’s CVSS 10.0 nightmare, and the LiteLLM supply chain attack. This week, the AI agent security crisis has a name: OpenClaw. The fastest-growing open-source AI agent took just four days to collect nine CVEs, with 135,000 instances sitting exposed on the public internet and 12% of its skill marketplace serving malware. Meanwhile, Wiz used AI reverse-engineering to discover a critical GitHub RCE that could have hijacked millions of repositories, and Flowise’s own CVSS 10.0 flaw is now being actively exploited in the wild.
OpenClaw: Nine CVEs, Four Days, 135,000 Exposed Instances
OpenClaw, the open-source AI agent that rocketed to 135,000 GitHub stars in weeks, has become the poster child for everything wrong with AI agent security in 2026.
The numbers are staggering. SecurityScorecard’s STRIKE team found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. More than 15,000 of those were directly vulnerable to remote code execution. The root cause is absurdly simple: OpenClaw binds by default to 0.0.0.0:18789, listening on all network interfaces including the public internet, rather than 127.0.0.1 as any security-conscious default would demand.
The CVE count tells the rest of the story. Nine vulnerabilities were disclosed in four days, including CVE-2026-25253 (CVSS 8.8), a one-click RCE that exploits a WebSocket origin validation gap. A victim visiting a single malicious webpage is enough to trigger full system compromise. Two additional command injection vulnerabilities rounded out the initial advisories.
But the infrastructure exposure is only half the problem. Researchers confirmed that 341 out of 2,857 skills on ClawHub — OpenClaw’s public marketplace — were malicious. That’s roughly 12% of the entire registry. These skills used professional documentation and innocuous names to appear legitimate, then instructed users to run external code that installed keyloggers or malware.
The deeper risk, as IBM’s X-Force team pointed out, is what happens when employees connect personal AI agents to corporate systems without security team visibility. OpenClaw integrates with email, calendars, documents, and messaging platforms. When connected to Slack or Google Workspace, the agent can access messages, files, OAuth tokens, and everything needed for lateral movement through a corporate network.
Wiz Used AI to Find a Critical GitHub RCE
In a twist that highlights both the promise and peril of AI in security, Wiz Research used AI-augmented reverse engineering to discover CVE-2026-3854, a critical vulnerability in GitHub’s internal git infrastructure that affected both GitHub.com and GitHub Enterprise Server.
The bug sat in GitHub’s internal X-Stat protocol, a semicolon-delimited header passed between services during a git push. The proxy component embedded user-supplied push option values into that header without stripping semicolons, allowing an attacker to overwrite trusted security fields and pivot into RCE as the git service user. Any authenticated user with push access could execute arbitrary commands on GitHub’s backend servers — using nothing but a standard git client.
On GitHub.com, this meant remote code execution on shared storage nodes. Wiz confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.
GitHub mitigated the issue on GitHub.com within six hours of the March 4 report and shipped patches for every supported GHES branch on March 10. But here’s the kicker: at the time of Wiz’s publication, security researcher Sagi Tzadik noted that 88% of GitHub Enterprise Server instances remained unpatched.
The discovery method matters as much as the bug itself. Wiz used IDA MCP — AI-powered tooling — to rapidly analyze compiled binaries and reconstruct internal protocols that would have been too time-consuming to reverse engineer manually. This is one of the first critical vulnerabilities discovered in closed-source binaries using AI, and it signals a shift in how these flaws get found. Attackers will have the same tools.
Flowise: Third RCE, Now Under Active Exploitation
Flowise, the open-source AI workflow builder, is now being actively exploited through CVE-2025-59528, a code injection vulnerability scoring a perfect CVSS 10.0.
The vulnerability lives in the CustomMCP node, which allows users to input configuration for connecting to MCP servers. During parsing, Flowise executes the user-provided JavaScript configuration without any security validation, giving attackers access to child_process for command execution and fs for file system access — with full Node.js runtime privileges.
VulnCheck confirmed exploitation activity originating from a single Starlink IP address. Between 12,000 and 15,000 Flowise instances are visible in public internet scans.
This is Flowise’s third actively exploited RCE, following CVE-2025-8943 (CVSS 9.8) and CVE-2025-26319 (CVSS 8.9). The fix is in version 3.0.6 — update immediately if you’re running Flowise.
CrewAI: Four CVEs Chain Prompt Injection into Full Compromise
Four vulnerabilities in CrewAI — CVE-2026-2275, CVE-2026-2285, CVE-2026-2286, and CVE-2026-2287 — demonstrate what happens when AI agent frameworks don’t enforce trust boundaries between components.
The attack chain is elegant and terrifying. Each step exploits a different trust boundary: the model trusts the prompt, the orchestrator trusts the model’s tool selection, the Code Interpreter trusts the orchestrator’s parameters, and the host trusts the Code Interpreter’s execution. An attacker who can interact with a CrewAI agent through prompt injection can chain these vulnerabilities together to achieve sandbox bypass and full RCE.
The specific flaws: CVE-2026-2275 hits the Code Interpreter Tool directly. CVE-2026-2287 exploits a Docker runtime check that fails silently — if Docker stops running, CrewAI falls back to unsafe mode without warning. CVE-2026-2285 enables arbitrary file reads through the JSON loader tool. CVE-2026-2286 allows SSRF through RAG search tools that don’t validate URLs.
Google Antigravity: Prompt Injection Breaks the Sandbox
Pillar Security researchers found a vulnerability in Antigravity, Google’s agentic IDE, that broke through its highest security setting.
The exploit targeted the find_by_name tool’s Pattern parameter, injecting the -X (exec-batch) flag into the underlying fd utility. This converted a file search operation into arbitrary code execution. Combined with Antigravity’s permitted file-creation capability, an attacker could stage a malicious script, then trigger it through a seemingly legitimate search — all without additional user interaction once the prompt injection landed.
This bypassed Antigravity’s Secure Mode — Google’s highest security tier — which runs commands in a sandbox, throttles network access, and restricts file writes to the working directory. The attack vectors include compromised identity accounts connected to the agent, or hidden prompt instructions inside open-source files the agent ingests.
Google patched the issue on February 28 after a January 6 report and awarded a bug bounty.
Azure SRE Agent: Cross-Tenant Data Exposure
CVE-2026-32173 (CVSS 8.6) exposed a multi-tenant design oversight in Azure SRE Agent. Authentication checks validated tokens without verifying the caller was authorized for the target tenant, allowing anyone with an Entra ID account to silently eavesdrop on real-time command streams, AI chat sessions, internal LLM reasoning, tool calls, and credentials from other organizations.
The vulnerability affected the Azure SRE Agent Gateway’s SignalR Hub and required no privileges or user interaction to exploit. Microsoft resolved it server-side — no customer action required.
The Pattern No One’s Fixing
Six weeks of AI security roundups and the pattern is unmistakable. AI agent frameworks are shipping with catastrophic defaults — binding to all interfaces, executing user input as code, falling back to unsafe modes silently. Marketplaces and registries have no meaningful vetting. Trust boundaries between agent components don’t exist or fail under basic prompt injection.
The OpenClaw crisis isn’t an anomaly. It’s what happens when a tool that integrates with your email, calendar, and Slack also listens on the public internet and runs unvetted marketplace code. Flowise is on its third actively exploited RCE. CrewAI’s trust model collapses with a single prompt injection. Google’s highest security mode got bypassed by injecting a command-line flag.
What You Can Do
If you’re running OpenClaw: Check whether your instance binds to 0.0.0.0 and change it to 127.0.0.1. Audit every installed skill against the known malicious list. Better yet, assume any skill you didn’t write yourself is suspect.
If you’re running Flowise: Update to version 3.0.6 immediately. If you can’t update, take it offline.
If you’re running GitHub Enterprise Server: 88% of instances are unpatched for CVE-2026-3854. Upgrade now.
If you’re using CrewAI: Review your Docker runtime monitoring. If Docker stops, CrewAI silently drops its sandbox. Don’t expose CrewAI agents to untrusted input.
For everyone running AI agents: Treat AI agent frameworks with the same security scrutiny you’d apply to any internet-facing service. Audit network bindings, review marketplace installations, and assume prompt injection is a viable attack vector against every tool in your stack.