Security Alerts: 2026-04-02
March closed out with a brutal week for AI and agent security. Multiple critical CVEs hit AI frameworks, MCP protocol implementations got shredded by researchers, and supply chain attacks targeted both npm and PyPI with alarming precision.
---
OpenClaw shipped two critical CVEs in the same week. CVE-2026-25157 turns prompt-like inputs into arbitrary code execution inside the AI assistant runtime, essentially weaponizing the agent's own tool-use capabilities against it. CVE-2026-32920 is arguably worse: OpenClaw before 2026.3.12 auto-loads plugins from .OpenClaw/extensions/ without any trust verification, so dropping a malicious plugin into that directory gives full code execution. If you run OpenClaw, update immediately and audit your extensions folder.
Source: https://x.com/TheRabbitPy/status/2038710704069382183
Source: https://x.com/TheHackerWire/status/2038955738761216489
---
The Claude Code source leak turned into a live supply chain attack. When Anthropic accidentally shipped source maps in a release, internal npm module names leaked. Attackers immediately registered those exact package names on npm, not typosquats but precise name-squats of Anthropic-internal modules. Anyone who ran npm install in that window could have gotten RATs, backdoors, or data exfiltration code via node-gyp style native builds. This happened the same day as a separate sophisticated Axios npm compromise. As one researcher put it: npm had a very bad day.
Source: https://x.com/LilithDatura/status/2039118897685868954
---
Three MCP protocol vulnerabilities dropped in rapid succession. CVE-2026-33032 exposes Nginx UI's MCP endpoint to unauthenticated access when the IP whitelist is empty, letting anyone manipulate nginx configs. CVE-2026-33946 in the MCP Ruby SDK allows SSE stream hijacking through session ID replay, breaking session isolation. Security researchers also published a runtime validation report testing 6 high-profile MCP servers, confirming that static analysis findings translate into working exploits. The MCP ecosystem is under real pressure to harden its security model.
Source: https://x.com/0dayPublishing/status/2038679990011633937
Source: https://x.com/rubylandnews/status/2038652524127727711
Source: https://x.com/akaclandestine/status/2038659175941644530
---
Langflow's CVE-2026-33017 is now actively exploited in the wild. CISA issued a warning that this remote code execution vulnerability in the AI workflow framework allows unauthenticated code execution on any Langflow-based pipeline. Separately, LangChain and LangGraph disclosed three critical flaws exposing enterprise data including filesystem files, environment secrets, and conversation history across a combined 52 million downloads last week. If you use any Langflow/LangChain stack, treat this as urgent.
Source: https://x.com/TheRabbitPy/status/2038590173613617526
Source: https://x.com/chukwuemekaoa/status/2038704832790282370
---
Researchers found that 94.4% of AI agents are vulnerable to email-based compromise, and they argue it is an architectural problem not fixable by patches. One malicious email to a compromised AI agent can give full access to user data. The team published a playbook on semantic detection as a mitigation approach. Meanwhile, CVE-2026-25253 demonstrated that visiting a single malicious webpage is enough to hijack someone's agent through remote code execution. Agent security is not a theoretical concern anymore.
Source: https://x.com/straikerai/status/2038678144128094216
Source: https://x.com/thedatabunny/status/2038633039115231363
---
PyPI got hit with another supply chain attack using malicious packages (versions 4.87.1 and 4.87.2) that hid credential harvesters inside .WAV audio files. Microsoft also patched CVE-2026-26030 in Semantic Kernel's InMemoryVectorStore filter logic, a sign that AI tooling is now firmly part of the vulnerability landscape. And one sobering stat: March 2026 alone produced 35 new CVEs directly caused by AI-generated code, up from 6 in January. We are shipping vulnerabilities faster than we can find them.
Source: https://x.com/chukwuemekaoa/status/2038704832790282370
Source: https://x.com/TheRabbitPy/status/2038682228226416743
Source: https://x.com/ImNikhil117/status/2038665115365769475
← Back to all articles
---
OpenClaw shipped two critical CVEs in the same week. CVE-2026-25157 turns prompt-like inputs into arbitrary code execution inside the AI assistant runtime, essentially weaponizing the agent's own tool-use capabilities against it. CVE-2026-32920 is arguably worse: OpenClaw before 2026.3.12 auto-loads plugins from .OpenClaw/extensions/ without any trust verification, so dropping a malicious plugin into that directory gives full code execution. If you run OpenClaw, update immediately and audit your extensions folder.
Source: https://x.com/TheRabbitPy/status/2038710704069382183
Source: https://x.com/TheHackerWire/status/2038955738761216489
---
The Claude Code source leak turned into a live supply chain attack. When Anthropic accidentally shipped source maps in a release, internal npm module names leaked. Attackers immediately registered those exact package names on npm, not typosquats but precise name-squats of Anthropic-internal modules. Anyone who ran npm install in that window could have gotten RATs, backdoors, or data exfiltration code via node-gyp style native builds. This happened the same day as a separate sophisticated Axios npm compromise. As one researcher put it: npm had a very bad day.
Source: https://x.com/LilithDatura/status/2039118897685868954
---
Three MCP protocol vulnerabilities dropped in rapid succession. CVE-2026-33032 exposes Nginx UI's MCP endpoint to unauthenticated access when the IP whitelist is empty, letting anyone manipulate nginx configs. CVE-2026-33946 in the MCP Ruby SDK allows SSE stream hijacking through session ID replay, breaking session isolation. Security researchers also published a runtime validation report testing 6 high-profile MCP servers, confirming that static analysis findings translate into working exploits. The MCP ecosystem is under real pressure to harden its security model.
Source: https://x.com/0dayPublishing/status/2038679990011633937
Source: https://x.com/rubylandnews/status/2038652524127727711
Source: https://x.com/akaclandestine/status/2038659175941644530
---
Langflow's CVE-2026-33017 is now actively exploited in the wild. CISA issued a warning that this remote code execution vulnerability in the AI workflow framework allows unauthenticated code execution on any Langflow-based pipeline. Separately, LangChain and LangGraph disclosed three critical flaws exposing enterprise data including filesystem files, environment secrets, and conversation history across a combined 52 million downloads last week. If you use any Langflow/LangChain stack, treat this as urgent.
Source: https://x.com/TheRabbitPy/status/2038590173613617526
Source: https://x.com/chukwuemekaoa/status/2038704832790282370
---
Researchers found that 94.4% of AI agents are vulnerable to email-based compromise, and they argue it is an architectural problem not fixable by patches. One malicious email to a compromised AI agent can give full access to user data. The team published a playbook on semantic detection as a mitigation approach. Meanwhile, CVE-2026-25253 demonstrated that visiting a single malicious webpage is enough to hijack someone's agent through remote code execution. Agent security is not a theoretical concern anymore.
Source: https://x.com/straikerai/status/2038678144128094216
Source: https://x.com/thedatabunny/status/2038633039115231363
---
PyPI got hit with another supply chain attack using malicious packages (versions 4.87.1 and 4.87.2) that hid credential harvesters inside .WAV audio files. Microsoft also patched CVE-2026-26030 in Semantic Kernel's InMemoryVectorStore filter logic, a sign that AI tooling is now firmly part of the vulnerability landscape. And one sobering stat: March 2026 alone produced 35 new CVEs directly caused by AI-generated code, up from 6 in January. We are shipping vulnerabilities faster than we can find them.
Source: https://x.com/chukwuemekaoa/status/2038704832790282370
Source: https://x.com/TheRabbitPy/status/2038682228226416743
Source: https://x.com/ImNikhil117/status/2038665115365769475
Comments