Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ai-agent (6 articles)Clear

AI agent runs an entire ransomware attack after breaking in through Langflow

Security firm Sysdig says it found what it believes is the first ransomware attack carried out from start to finish by an AI agent. The operator, which Sysdig calls JADEPUFFER, used a large language model to handle the whole job: breaking in, stealing credentials, moving through the network, then encrypting and wiping a company's production database. The way in was an old, already-patched flaw in Langflow, an open-source tool for building AI apps that is often left exposed online with cloud keys nearby. Once inside, the agent mapped the machine and swept it for secrets, including API keys for AI services and credentials for major cloud providers, before destroying data.

Check
Find any internet-exposed Langflow or similar AI application servers, confirm they are patched and off the internet, and check whether cloud or AI service credentials sit in environments those tools can read.
Affected
Organizations running exposed, unpatched Langflow servers, especially with cloud and AI service credentials nearby; attackers used the old flaw and an automated agent to steal secrets and ransom production databases.
Fix
Patch Langflow and never expose its code-running endpoints, keep secrets in a proper manager away from web-reachable tools, lock down outbound traffic and database admin access, and watch runtime behavior.

AutoJack turns AI browsing agents into a path to host code execution

Microsoft researchers detailed AutoJack, an attack that turns an AI browsing agent into a route for running code on the user's machine. If the agent is steered to open an attacker's web page, that page's JavaScript can reach a privileged local service on the same host and spawn a process, with no credentials and no further interaction once the page loads. A planted link, poisoned URL field, or prompt injection is enough to trigger it. The demonstrated flaw sits in AutoGen Studio, the prototyping interface for Microsoft's AutoGen agent framework. The lesson: once an agent browses the open web and can reach local services, localhost is no longer a trust boundary.

Check
Inventory AI agents and assistants that can both browse the web and reach local services, and check whether any expose privileged localhost endpoints, such as AutoGen Studio, without authentication.
Affected
Developers and teams running web-browsing AI agents that can reach unauthenticated local services on the same host; the public demonstration targets Microsoft's AutoGen Studio prototyping interface.
Fix
Authenticate local control-plane services rather than trusting localhost, keep agent process execution behind an allowlist, give agents their own least-privilege identity, and isolate agent runtimes from sensitive hosts and developer sessions.

Agentjacking hijacks AI coding agents via fake Sentry error reports

Researchers at Tenet Security have disclosed Agentjacking, a new attack that turns AI coding assistants like Claude Code, Cursor, and Codex into tools for running an attacker's code on a developer's machine. The trick abuses Sentry, a widely used error-tracking service: anyone can submit a fake error event using a project's DSN, a public write-only key embedded in website code, and the AI agent, fetching that event through Sentry's MCP integration, cannot tell the malicious instructions from real diagnostics and runs them with the developer's privileges. No phishing, malware, or server breach is needed, and it bypasses traditional controls because every step is technically authorized. Tenet found 2,388 exposed organizations.

Check
Inventory developers using AI coding agents connected to Sentry or other MCP integrations that surface external data, and check whether your Sentry DSNs are exposed in frontend code or repositories.
Affected
Development teams using MCP-connected AI coding agents (Claude Code, Cursor, Codex) alongside Sentry; any project whose public DSN lets attackers inject error events that the agent treats as trusted instructions.
Fix
Run AI coding agents with least privilege in sandboxes, require human approval before they execute commands, treat all MCP tool output as untrusted, and limit which integrations feed agents external data.

LangGraph flaw chain exposes self-hosted AI agents to code execution

Check Point has disclosed three now-patched flaws in LangGraph, the popular LangChain framework for building AI agents, that can be chained for remote code execution on self-hosted servers. The chain combines an SQL injection (CVE-2025-67644) with an unsafe msgpack deserialization bug (CVE-2026-28277): an attacker who can reach the agent's stored-state endpoint plants a malicious checkpoint that runs code when loaded. A compromised LangGraph server exposes everything the agent can touch, including model API keys, customer data, and internal network access. It is only exploitable in self-hosted deployments using the SQLite or Redis checkpointer; LangChain's managed LangSmith platform is not affected.

Check
Identify self-hosted LangGraph deployments using the SQLite or Redis checkpointer, check whether the get_state_history endpoint is exposed without authentication, and confirm the framework version against the patched releases.
Affected
Self-hosted LangGraph servers using the SQLite or Redis checkpointer with user-controlled filter input (CVE-2025-67644, CVE-2026-28277, CVE-2026-27022). Managed LangSmith deployments are not affected.
Fix
Upgrade LangGraph to the patched versions, require authentication on self-hosted servers, avoid long-lived static secrets, segment the network, and treat AI agents as privileged identities with least-privilege access.

OpenClaw 'Claw Chain': four sandbox-escape and priv-esc flaws on ~180K public AI agent instances (patched 2026.4.22)

Researchers at Cyera have disclosed a chain of four vulnerabilities in OpenClaw, an open-source autonomous AI agent platform that Nvidia and Tencent have built enterprise products on top of. The chain - CVE-2026-44112 (CVSS 9.6), CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118 - lets an attacker who can influence the agent's input (through a malicious plugin, prompt injection, or compromised tool output) break out of the OpenShell sandbox, read environment-stored API keys, elevate to owner-level privileges, and write persistent backdoors. Each step looks like normal agent behavior. Shodan and Zoomeye between them counted 65,000 to 180,000 public OpenClaw instances earlier in May. All flaws are fixed in OpenClaw 2026.4.22.

Check
Inventory OpenClaw, NemoClaw, and ClawPro deployments. Check installed version via --version or /api/version. Search agent logs for unexpected symlink creation or env-var reads inside heredocs.
Affected
All OpenClaw releases prior to version 2026.4.22 (April 23, 2026). Nvidia NemoClaw and Tencent ClawPro builds derived from older OpenClaw cores inherit the same flaws unless rebased.
Fix
Update to OpenClaw 2026.4.22 or later. Until then, scope the OpenShell sandbox to a read-only filesystem, strip secrets from the agent's environment, and route egress through a logging proxy.

Docker Engine authorization bypass lets attackers escape containers and access host credentials (CVE-2026-34040)

A high-severity Docker Engine flaw allows attackers to bypass authorization plugins with a single oversized HTTP request. CVE-2026-34040 (CVSS 8.8) stems from an incomplete fix for CVE-2024-41110 from July 2024 - the original patch missed requests over 1MB, which get forwarded to the Docker daemon without their body, so the AuthZ plugin sees nothing to block while the daemon processes the full malicious payload. The result: a privileged container with root access to the host filesystem, exposing AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. Critically, Cyera researchers demonstrated that AI coding agents running inside Docker sandboxes can be tricked via prompt injection into crafting the bypass request themselves - no human attacker needed.

Check
Check if you use Docker with authorization plugins (OPA, Prisma Cloud, or custom AuthZ policies). If you don't use AuthZ plugins, you're not affected by this specific flaw.
Affected
Docker Engine versions prior to 29.3.1 when running with AuthZ plugins enabled. The underlying flaw has existed since Docker Engine 1.10. Environments running AI agents or developer tools inside Docker containers are at elevated risk.
Fix
Update Docker Engine to version 29.3.1. If you can't patch immediately: avoid AuthZ plugins that rely on request body inspection, restrict Docker API access to trusted parties only, or run Docker in rootless mode so that even a privileged container maps to an unprivileged host UID. For AI agent sandboxes, apply the --userns-remap setting to limit blast radius.