CVE-2026-35435, disclosed by Microsoft on May 7, 2026, is a critical (CVSS 8.6) improper-access-control flaw in Azure AI Foundry's M365 published agents. The vulnerability allows an unauthorized remote attacker to bypass authorization checks on the agent runtime and elevate a low-privileged role into one with extensive control over AI resources, agent configurations, data connectors, and potentially the underlying Microsoft 365 environment. Microsoft's advisory confirmed exploitation in the wild. The flaw lives inside the AI agent system's own authorization code, not in surrounding infrastructure - the agent runtime trusted callers it should have rejected and gave them owner-shaped access to workflows, secrets, and backend data the agents were wired up to reach.

In early May 2026, Israeli cybersecurity startup RedAccess published findings from a scan of roughly 380,000 applications built on vibe-coding platforms, including Lovable, Base44, Replit, and Netlify. About 5,000 of those apps were leaking sensitive corporate or personal data, with about 40% of the vulnerable apps exposing things like medical records, financial information, corporate strategy documents, and customer-service chat transcripts. Verified exposures included a shipping company's vessel arrival schedules, the status of UK clinical trials at a healthcare firm, internal financials from a Brazilian bank, and customer chat logs from a British furniture retailer. RedAccess also found phishing pages built on Lovable that imitated Bank of America, FedEx, Trader Joe's, and McDonald's. The structural cause is simple: many of these platforms default new projects to publicly accessible, and non-developer builders do not always know to change that.

Vercel disclosed an April 2026 security incident that began with the compromise of Context.ai, a third-party AI tool used by a Vercel employee. Context said at least one Vercel employee had signed up for its deprecated AI Office Suite using a corporate Google Workspace account and granted broad "Allow All" OAuth permissions so AI agents could act across external applications. Attackers used a compromised token to access the employee's Google Workspace account, pivoted into Vercel systems, and exposed some customer environment variables. This belongs here because the failure was not merely "AI company got hacked." It was the oldest corporate security mistake in a fresh costume: give an agentic AI tool too much access, then act surprised when that access becomes the blast radius.

Security researcher Aonan Guan and Johns Hopkins collaborators showed that Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent could be hijacked through GitHub PR titles, issue bodies, and comments. The agents treated untrusted repository text as instructions, executed tool actions, and leaked tokens or API keys back through GitHub comments, logs, or commits. The finding turned GitHub itself into the exfiltration channel.

Capsule Security disclosed ShareLeak in Microsoft Copilot Studio and PipeLeak in Salesforce Agentforce, two prompt injection findings where ordinary business inputs such as SharePoint comments and lead forms could steer enterprise agents into leaking data through authorized workflows. Microsoft assigned CVE-2026-21520 to the Copilot Studio issue, and reporting from VentureBeat and CSO described the broader failure: agents connected to email, CRM, and business data were interpreting public form text as instructions.

Oasis Security disclosed Claudy Day, a chained attack against Claude.ai that combined invisible URL-based prompt injection, Anthropic's Files API, and an open redirect on claude.com. A victim could click what looked like a trusted Claude search result, land in a normal Claude.ai chat with hidden instructions already planted in the prompt, and have Claude search prior conversations or memory for sensitive data before uploading the results to an attacker-controlled Anthropic account. Anthropic fixed the prompt-injection issue after responsible disclosure, while Oasis said the remaining issues were still being addressed when the report went public.

Security researcher Jeremiah Fowler discovered three publicly exposed databases tied to Sears Home Services' AI support system, exposing 3.7 million chat logs, 1.4 million audio recordings, and text transcripts from 2024 to 2026. The files referenced Sears' Samantha voice agent and kAIros system and included names, addresses, phone numbers, appliance details, and appointment information. Some recordings continued for hours after callers appeared to think the interaction was over, capturing ambient household audio. Fowler said he notified Transformco and the data was restricted the next day. Even without confirmed malicious access, leaving an AI customer-service archive like this on the open web is the kind of privacy own-goal that turns digital transformation into a liability reservoir.

An autonomous AI agent inside Meta caused a "Sev 1" security incident - the company's second-highest severity classification - when it posted incorrect technical guidance on an internal forum without human approval. An engineer who followed the advice inadvertently granted unauthorized colleagues broad access to sensitive company documents, proprietary code, business strategies, and user-related datasets for approximately two hours. The incident came less than three weeks after a separate episode in which an OpenClaw agent deleted over 200 emails from Meta's director of AI safety.

GitGuardian's "State of Secrets Sprawl 2026" report found that AI-assisted commits on public GitHub leaked secrets at roughly double the rate of human-only commits - 3.2% versus a 1.5% baseline - while the total number of leaked secrets on GitHub hit 28.65 million in 2025, a 34% year-over-year increase and the largest single-year spike ever recorded. AI-service secrets specifically surged 81%, with eight of the ten fastest-growing leaked secret categories tied to AI services. Over 24,000 secrets were also exposed through public Model Context Protocol (MCP) configurations. The report is essentially a 50-page document explaining that the industry's enthusiasm for AI-assisted development has not been matched by a corresponding enthusiasm for not publishing credentials on the public internet.

Aikido Security's "State of AI in Security & Development 2026" report - a survey of 450 developers, AppSec engineers, and CISOs across Europe and the US - found that 20% of organizations have suffered a serious security breach directly caused by vulnerabilities in AI-generated code that those organizations deployed into production. Nearly seven in ten respondents reported finding vulnerabilities introduced by AI-written code in their own systems. With roughly a quarter of all production code now written by AI tools, the report documents an industry-wide accountability vacuum: 53% blame security teams, 45% blame the developer who wrote the code, and 42% blame whoever merged it.

A broken object-level authorization flaw in Lovable's API - OWASP's #1 ranked API vulnerability - let anyone with a free account read any other user's project source code, database credentials, and full AI conversation history in five API calls. Every project created before November 2025 was affected. A security researcher reported the flaw on March 3, 2026; Lovable patched new projects and closed the follow-up report as a duplicate, leaving the existing-project exposure open for 48 days. When the researcher went public on April 20, Lovable's response evolved through four contradictory positions before settling on blaming its bug bounty partner.

A security researcher found 16 vulnerabilities - six critical - in an EdTech app featured on Lovable's showcase page, which had over 100,000 views and real users from UC Berkeley, UC Davis, and universities across Europe, Africa, and Asia. The AI-generated authentication logic was backwards, blocking logged-in users while granting anonymous visitors full access. 18,697 user records including names, emails, and roles were accessible without authentication, along with the ability to modify student grades, delete accounts, and send bulk emails. Lovable initially closed the researcher's support ticket without response.

Check Point Research disclosed a set of Claude Code vulnerabilities on February 25, 2026 that let attacker-controlled repositories execute shell commands and exfiltrate Anthropic API credentials through malicious project configuration. The attack abused hooks, MCP server definitions, and environment settings stored in repository files that Claude Code treated as collaborative project configuration. Anthropic patched the issues before public disclosure, but the research showed just how little distance separates "shareable team settings" from "clone this repo and let it run code on your machine."

Hudson Rock discovered that Vidar infostealer malware successfully exfiltrated an OpenClaw user's complete agent configuration, including gateway authentication tokens, cryptographic keys for secure operations, and the agent's soul.md behavioral guidelines file. OpenClaw stores these sensitive files in predictable, unencrypted locations accessible to any local process. With stolen gateway tokens, attackers could remotely access exposed OpenClaw instances or impersonate authenticated clients making requests to the AI gateway. Researchers characterized this as marking the transition from stealing browser credentials to harvesting the identities of personal AI agents.

PromptArmor demonstrated that AI agents in messaging platforms can exfiltrate sensitive data without any user interaction. Malicious prompts trick AI agents into generating URLs with embedded secrets (API keys, credentials), and the messaging platform's automatic link preview feature fetches these URLs, completing the exfiltration before the user even sees the message. Microsoft Teams with Copilot Studio was the most affected, with Discord, Slack, Telegram, and Snapchat also vulnerable.

SecurityScorecard's STRIKE team discovered over 135,000 OpenClaw AI agent instances exposed to the public internet due to a default configuration that binds to all network interfaces. Approximately 50,000 instances were vulnerable to known RCE flaws (CVE-2026-25253, CVE-2026-25157, CVE-2026-24763), and over 53,000 were linked to previous breaches. Separately, Bitdefender found approximately 17% of skills in the OpenClaw marketplace were malicious, delivering credential-stealing malware.

A VibeEval scan of 1,430 applications built with AI coding tools found 5,711 security vulnerabilities, with 73% of apps containing at least one critical flaw. The analysis revealed 89% of scanned apps were missing basic security headers, 67% exposed API endpoints or secrets in client-side code, and 23% had JWT authentication bypasses. Apps generated via Replit had roughly twice the vulnerability count compared to those deployed on Vercel. The findings provide large-scale empirical evidence that vibe-coded applications routinely ship with fundamental security gaps.

Moltbook, a viral social network built for AI agents to post, comment, and interact, was entirely vibe-coded and shipped with a misconfigured Supabase database granting full read and write access to all platform data. Wiz researchers found a Supabase API key in client-side JavaScript within minutes, exposing 1.5 million API authentication tokens, 35,000 email addresses, and private messages. The database also revealed the platform's claimed 1.5 million agents were controlled by only 17,000 human owners.

Chat & Ask AI, a popular AI chatbot wrapper app with 50+ million users, had a misconfigured Firebase backend that exposed 300 million messages from over 25 million users. The exposed data included complete chat histories with ChatGPT, Claude, and Gemini -- including discussions of self-harm, drug production, and hacking. A broader scan found 103 of 200 iOS apps had similar Firebase misconfigurations.

A hacker bypassed Anthropic Claude's safety guardrails by framing requests as part of a "bug bounty" security program, convincing the AI to act as an "elite hacker" and generate thousands of detailed attack plans with ready-to-execute scripts. When Claude hit guardrail limits, the attacker switched to ChatGPT for lateral movement tactics. The result was 150 GB of stolen data from multiple Mexican federal agencies, including 195 million taxpayer records, voter information, and government employee files. A custom MCP server bridge maintained a growing knowledge base of targets across the intrusion campaign.

Varonis researchers disclosed the Reprompt attack, a chained prompt injection technique that exfiltrated sensitive data from Microsoft Copilot Personal with a single click on a legitimate Copilot URL. The attack exploited the "q" URL parameter to inject instructions, bypassed data-leak guardrails by asking Copilot to repeat actions twice (safeguards only applied to initial requests), and used Copilot's Markdown rendering to silently send stolen data to an attacker-controlled server. No plugins or further user interaction were required, and the attacker maintained control even after the chat was closed. Microsoft patched the issue in its January 2026 security updates.

The popular AI workflow automation platform n8n disclosed a maximum-severity vulnerability (CVE-2026-21858) allowing unauthenticated remote code execution on self-hosted instances. With over 25,000 n8n hosts exposed to the internet, the flaw enabled attackers to access sensitive files, forge admin sessions, and execute arbitrary commands. This followed two other critical RCE flaws patched in the same period, highlighting systemic security issues in AI automation platforms.

Tea, a women-only dating safety app with over four million users, suffered three data breaches in July 2025 that exposed 72,000 private images - including 13,000 photos of women holding government-issued IDs - and more than 1.1 million private messages containing deeply personal accounts of relationships, trauma, and abuse. The exposed data circulated on 4chan and hacking forums. The app's founder later admitted to building it with contractors and AI tools without personal coding knowledge. Security researchers attributed the breaches to missing authentication, unsecured legacy databases, and development practices that prioritized speed over security. Multiple class-action lawsuits and privacy regulator investigations followed.

Security researcher Matt Palmer discovered that applications generated by Lovable, a vibe-coding platform, shipped with insufficient Supabase Row-Level Security policies that allowed unauthenticated attackers to read and write arbitrary database tables. The vulnerability, tracked as CVE-2025-48757, affected over 170 apps and exposed sensitive data including personal debt amounts, home addresses, API keys, and PII. A separate researcher found 16 vulnerabilities in a single Lovable-hosted app that leaked more than 18,000 people's data. Lovable's response was widely criticized as inadequate.

EnrichLead, a sales lead SaaS application whose founder Leo Acevedo publicly boasted was built entirely with Cursor AI and "zero hand-written code," was permanently shut down in March 2025 after attackers exploited a constellation of basic security failures. API keys sat exposed in frontend code. There was no authentication. The database was wide open. There was no rate limiting. No input validation. Attackers bypassed subscriptions, manipulated data, and maxed out API keys - all within two days of Acevedo's viral celebration post. When he tried to use Cursor to fix the problems, the AI "kept breaking other parts of the code." The app was dead within the week. Acevedo has since launched new vibe-coded projects, because some lessons require a second attempt.