AI agents open attack vectors

An AI agent is software that can click, type, run commands, and use online accounts for you. Security researchers say that same access can let attackers seize the agent and, in some cases, the systems around it. (mitre.org) The clearest recent example involves OpenClaw, a self-hosted browser automation agent that stores credentials and controls web sessions through a local dashboard. Hunt.io said on February 3 it found more than 17,500 exposed OpenClaw, Clawdbot, and Moltbot instances vulnerable to CVE-2026-25253. (hunt.io) Oasis Security reported a second attack path on March 2: a malicious website could open a WebSocket connection to an OpenClaw gateway on localhost, brute-force passwords, and take over the agent without a browser extension or user interaction. The OpenClaw team shipped a fix within 24 hours and said users should update to version 2026.2.25 or later. (securityweek.com; oasis.security) The risk is larger than one bug. MITRE said OpenClaw-style systems are unusual because they can make decisions and take actions across operational systems without continuous human oversight. (mitre.org) That changes the blast radius of a compromise. A stolen chatbot session can leak text, but a stolen agent can send messages, run tools, export tokens, and move through calendars, developer platforms, and cloud consoles if it has those permissions. (oasis.security; hunt.io) Microsoft is now describing a different security model for these systems. At KubeCon Europe 2026 in Amsterdam, Azure Kubernetes Service product lead Jorge Palma said the company wants agents to have identities that are “very, very scoped down” and only temporary permissions for approved tasks. (thenewstack.io) Microsoft also published an open-source Agent Governance Toolkit on April 2. The company said it is meant to enforce runtime policies for autonomous agents and map to all 10 risks in the 2026 Open Worldwide Application Security Project Top 10 for Agentic Applications. (opensource.microsoft.com; github.com) The basic idea is familiar from older security systems: do not let software keep broad access longer than needed, and inspect each action before it runs. Microsoft compares one part of the toolkit to a kernel for AI agents, intercepting actions before execution. (opensource.microsoft.com) The industry is moving fast enough that governance is arriving after deployment. Microsoft said frameworks such as LangChain, AutoGen, CrewAI, Microsoft Agent Framework, and Foundry Agent Service made it easy to build agents before equivalent controls were widely in place. (opensource.microsoft.com) For companies testing agents now, the immediate lesson is narrower than the hype cycle: treat an agent like a privileged employee account, not a chat window. The more tools and credentials it can reach, the more damage an attacker can automate after one mistake. (mitre.org; thenewstack.io)