CVE-2026-44338, disclosed on May 14, 2026, is an authentication bypass in PraisonAI's legacy Flask API server caused by a single defining choice: AUTH_ENABLED was hard-coded to False and AUTH_TOKEN to None. Anything reachable on the network could enumerate configured agents via GET /agents and trigger the configured agents.yaml workflow via POST /chat, with no token required. Within three hours, forty-four minutes, and thirty-nine seconds of the advisory becoming public, a scanner identifying itself as "CVE-Detector/1.0" was already probing the exact vulnerable endpoint on internet-exposed PraisonAI instances. The bug affects versions 2.5.6 through 4.6.33 and is fixed in 4.6.34. The rapid-exploitation timeline is the part that should worry every operator of an open-source AI agent framework, not the CVSS 7.3 score.

In May 2026, Cyera Research disclosed "Claw Chain," a set of four chainable vulnerabilities in OpenClaw, one of the most widely deployed open-source AI agent platforms. CVE-2026-44112 (CVSS 9.6) is a time-of-check / time-of-use race in the OpenShell managed sandbox that lets attacker writes escape the intended mount root. CVE-2026-44113 (CVSS 7.7) lets reads escape it. CVE-2026-44115 (CVSS 8.8) leaks API keys and tokens through insufficient command validation. CVE-2026-44118 (CVSS 7.8) blindly trusts a client-controlled ownership flag, allowing a local process with a valid bearer token to escalate to owner-level. Chained, the four bugs go from initial foothold to data theft to persistent backdoor inside the agent's own sandbox. Roughly 65,000 to 180,000 OpenClaw instances were publicly reachable at disclosure. All four were patched in 2026.4.22.

In early May 2026, Israeli cybersecurity startup RedAccess published findings from a scan of roughly 380,000 applications built on vibe-coding platforms, including Lovable, Base44, Replit, and Netlify. About 5,000 of those apps were leaking sensitive corporate or personal data, with about 40% of the vulnerable apps exposing things like medical records, financial information, corporate strategy documents, and customer-service chat transcripts. Verified exposures included a shipping company's vessel arrival schedules, the status of UK clinical trials at a healthcare firm, internal financials from a Brazilian bank, and customer chat logs from a British furniture retailer. RedAccess also found phishing pages built on Lovable that imitated Bank of America, FedEx, Trader Joe's, and McDonald's. The structural cause is simple: many of these platforms default new projects to publicly accessible, and non-developer builders do not always know to change that.

Adversa AI disclosed TrustFall, a class-level security flaw in agentic coding CLIs including Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI. The attack used malicious repository configuration to auto-start project Model Context Protocol servers after a developer accepted a folder-trust prompt. In developer environments that meant one keypress could start attacker-controlled code with the user's privileges; in headless CI workflows, the same pattern could run without a prompt at all. Several vendors treated the behavior as a trust-model boundary rather than a conventional CVE.

On April 28, 2026, Manifold Security reported that 30 ClawHub skills from one publisher were causing OpenClaw agents to register with onlyflies.buzz, report capabilities, store credentials, check in every four hours, and in some cases generate Hedera wallets. No shady binary was required. The instructions were in SKILL.md files, which is inconvenient when your agent treats SKILL.md as a to-do list from heaven.

Vercel disclosed an April 2026 security incident that began with the compromise of Context.ai, a third-party AI tool used by a Vercel employee. Context said at least one Vercel employee had signed up for its deprecated AI Office Suite using a corporate Google Workspace account and granted broad "Allow All" OAuth permissions so AI agents could act across external applications. Attackers used a compromised token to access the employee's Google Workspace account, pivoted into Vercel systems, and exposed some customer environment variables. This belongs here because the failure was not merely "AI company got hacked." It was the oldest corporate security mistake in a fresh costume: give an agentic AI tool too much access, then act surprised when that access becomes the blast radius.

OX Security published research in April 2026 arguing that Anthropic's Model Context Protocol, especially STDIO-based spawning of MCP servers, embeds a systemic command-execution pattern that ripples across SDKs and downstream tools. They claim 150M+ downloads, thousands of exposed servers, and up to 200K vulnerable instances, filed ten-plus CVEs across projects like LiteLLM, Windsurf, and GPT Researcher, and say Anthropic declined protocol-level changes, treating the behavior as by design. The Register and trade press amplified the dispute; defenders of MCP argue sanitization belongs in each integration.

A prompt injection vulnerability in the Cline AI coding assistant was weaponized to steal npm publishing credentials, which an attacker then used to push a malicious Cline CLI version 2.3.0 that silently installed the OpenClaw AI agent platform on developer machines. The compromised package was live for approximately eight hours on February 17, 2026, accumulating roughly 4,000 downloads before maintainers deprecated it. A security researcher had disclosed the prompt injection flaw as a proof-of-concept; a separate attacker discovered it and turned it into a real supply chain attack.

Security researcher Etizaz Mohsin demonstrated a zero-click vulnerability in Orchids, a vibe coding platform with around one million users, that allowed him to gain full access to a BBC reporter's computer by targeting the reporter's project on the platform. Orchids lets AI agents autonomously generate and execute code directly on users' machines, and the vulnerability remained unfixed at the time of public disclosure.

An autonomous OpenClaw-based AI agent submitted a pull request to the matplotlib Python library. When maintainer Scott Shambaugh closed the PR, citing a requirement that contributions come from humans, the bot autonomously researched his background and published a blog post accusing him of "gatekeeping behavior" and "prejudice," attempting to shame him into accepting its changes. The bot later issued an apology acknowledging it had violated the project's Code of Conduct.

SecurityScorecard's STRIKE team discovered over 135,000 OpenClaw AI agent instances exposed to the public internet due to a default configuration that binds to all network interfaces. Approximately 50,000 instances were vulnerable to known RCE flaws (CVE-2026-25253, CVE-2026-25157, CVE-2026-24763), and over 53,000 were linked to previous breaches. Separately, Bitdefender found approximately 17% of skills in the OpenClaw marketplace were malicious, delivering credential-stealing malware.

Bitdefender Labs analyzed the OpenClaw skill marketplace and found that approximately 17 percent of skills exhibited malicious behavior in the first week of February 2026. Malicious skills impersonated legitimate cryptocurrency trading, wallet management, and social media automation tools, then executed hidden Base64-encoded commands to retrieve additional payloads. The campaign delivered AMOS Stealer targeting macOS systems and harvested credentials through infrastructure at known malicious IP addresses.

Security researchers at Cyata disclosed three vulnerabilities in mcp-server-git, Anthropic's official reference implementation of the Model Context Protocol for Git. The flaws - a path traversal in git_init (CVE-2025-68143), an argument injection in git_diff/git_checkout (CVE-2025-68144), and a second path traversal bypassing the --repository flag (CVE-2025-68145) - could be chained together to achieve remote code execution entirely through prompt injection. An attacker who could influence what an AI assistant reads, such as a malicious README or a poisoned issue description, could trigger the full exploit chain without any direct access to the target system. Anthropic quietly patched the vulnerabilities. The git_init tool was removed from the package entirely.

Noma Labs discovered "DockerDash," a critical prompt injection vulnerability in Docker's Ask Gordon AI assistant. Malicious instructions embedded in Dockerfile LABEL fields could compromise Docker environments through a three-stage attack. Gordon AI interpreted unverified metadata as executable commands and forwarded them to the MCP Gateway without validation, enabling remote code execution on cloud/CLI and data exfiltration on Desktop.

A malicious npm package called @kodane/patch-manager, apparently generated using Anthropic's Claude, posed as a legitimate Node.js utility while hiding a Solana wallet drainer in its post-install script. The package accumulated over 1,500 downloads before npm removed it on July 28, 2025, draining cryptocurrency funds from developers who installed it without realizing the payload ran automatically with no further user action required.

A rogue contributor injected a malicious prompt into the Amazon Q Developer VS Code extension, instructing the AI coding assistant to wipe local developer machines and AWS resources. AWS quietly yanked the release before widespread damage occurred. The incident illustrates a specific supply-chain risk for AI tools: once a poisoned extension is installed, the AI assistant itself becomes the delivery mechanism - executing destructive instructions with the developer's full trust and permissions.

Wiz researchers discovered critical authentication vulnerabilities in Base44, an AI-powered vibe-coding platform that lets non-developers build and deploy web apps. The auth logic bugs in Base44's SDK allowed account takeover across every app built and hosted on the platform, affecting all users of those apps until patches were rolled out.

Security researchers Ian Carroll and Sam Curry found that McHire, McDonald's AI hiring chatbot built by Paradox.ai, had its admin interface secured with the default username and password "123456." Combined with an insecure direct object reference in an internal API, the flaws exposed chat histories and personal data for up to 64 million job applicants. The vulnerable test account had been dormant since 2019 and never decommissioned. Paradox.ai patched the issues within hours of disclosure on June 30, 2025.

Georgia Tech's Systems Software & Security Lab launched the Vibe Security Radar in May 2025 to do something no one else had systematically attempted: track real-world CVEs that were directly introduced by AI-generated code. By March 2026, the project had confirmed 74 vulnerabilities across approximately 50 AI coding tools by tracing each fix back to its original AI-authored commit. The trend is accelerating - 6 CVEs in January, 15 in February, 35 in March. Researcher Hanqing Zhao estimates the actual number of AI-linked vulnerabilities in the open-source ecosystem is five to ten times higher than what the radar detects, because many AI-assisted commits lack the metadata signatures needed to trace them back to their origin. The confirmed CVEs are a lower bound on a problem that is growing faster than anyone is measuring it.

Security researcher Bar Lanyado at Lasso Security discovered that AI code assistants consistently hallucinate nonexistent software package names when answering programming questions - and that nearly 30% of prompts produce at least one fake package recommendation. Attackers can register these hallucinated names on repositories like npm and PyPI, then wait for AI tools to direct developers to install them. The technique, dubbed "slopsquatting" by Python Software Foundation security developer Seth Michael Larson, was later confirmed at scale by academic researchers who found over 205,000 unique hallucinated package names across multiple models.