Agentic AI is growing at breakneck speed, and vulnerabilities are keeping pace
Agentic AI came to change the game, and it showed up way too fast.
While traditional AI sits around waiting for you to type something before it reacts, next-gen autonomous agents operate on a whole different level: they make decisions, pursue goals, and only loop in a human when they truly need to.
Sounds amazing, and it is.
But all that autonomy comes at a price the industry is still learning to pay.
According to Deloitte, roughly 25% of organizations are already exploring or testing autonomous AI agents. That represents a real shift in how companies approach intelligent automation, moving away from the traditional prompt-based generative AI model toward systems that act on their own. The problem is that rapid adoption brought equally rapid growth in vulnerabilities across these systems, and the security ecosystem still is not ready to deal with this new reality. 🚨
In 2026 alone, approximately 15,000 security flaws have already been publicly disclosed through the Common Vulnerabilities and Exposures (CVE) system. Of those, dozens directly impact AI systems or AI-generated code. Weaponization and exploitation of artificial intelligence systems became especially visible in late 2025, and the trend has only accelerated since. The OpenClaw case became the most emblematic example of how popularity and risk can walk hand in hand when nobody is paying attention to the details.
What makes Agentic AI different — and riskier
The difference between a regular chatbot and an autonomous AI agent goes way beyond the interface. While traditional models respond to isolated prompts and depend on a human to chain actions together, Agentic AI was built to act continuously, coordinate complex tasks, access external tools, execute code, navigate systems, and make decisions without human approval at every step.
These agents combine interface control panels, messaging integrations, browser automation, SSH tools, container execution, file system access, and an LLM orchestrating all of it. In other words, they touch practically every layer of a system. A leaked token or a spoofed package can quickly escalate to a full operator-level compromise.
This changes everything when it comes to cybersecurity, because the attack surface is no longer a fixed point — it becomes a constantly moving target. The broad permissions these agents hold make them extremely attractive targets for attackers.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
When an autonomous agent has permission to access APIs, databases, files, and even other agents within an automation chain, any flaw in a single link can compromise the entire system. And the worst part: many times that flaw does not trigger any immediate alert, because the agent’s behavior, from a surface-level perspective, still looks normal. That is exactly where the most sophisticated attacks manage to operate without raising suspicion for hours, sometimes entire days.
The trust model that underpins traditional systems simply was not designed for this scenario. Classic security frameworks assume there is a human reviewing and approving every critical action. With autonomous agents, that assumption falls apart. Organizations adopting Agentic AI in production environments without revisiting their governance and access control models are essentially handing over the keys to the castle to a system that nobody knows exactly how it will behave when faced with a well-crafted malicious input.
OpenClaw: the case that set off alarm bells
OpenClaw, previously known as ClawdBot or MoltBot, is a self-hosted autonomous AI agent capable of browsing the web, managing files, reading, writing, and executing code locally. It runs directly on the user’s machine and can chain multiple skills to complete complex tasks. Being open source, it is highly customizable and accessible to anyone.
OpenClaw did not just gain traction — it flat-out exploded. Within weeks of launch, it became the most-starred repository on GitHub, attracting a massive developer community and immediate attention from security researchers.
But along with that popularity came scrutiny. Many users do not fully understand the security and privacy implications of running a system with that level of autonomy and access on their own machine. Security researchers warned that OpenClaw presents a lethal triad of risks:
- Deep access to local private data — the agent can read files, access stored credentials, and interact with operating system resources in ways most users do not even realize
- Interaction with untrusted external content — by browsing the web and processing third-party data, the agent is exposed to malicious inputs that can subvert its behavior
- Ability to communicate externally — the agent can send data outside the machine, which turns any internal compromise into a potential full-blown data leak
It is no surprise, then, that OpenClaw has already published more than 255 GitHub Security Advisories. Many of the flaws are tied to command execution, API keys, and credentials stored in plain text, which can be stolen by malicious actors through indirect prompt injection, malicious skills, or insecure endpoints.
Indirect prompt injection: the ClawJacked case
OpenClaw is vulnerable to indirect prompt injection attacks, where attackers hide malicious instructions inside data the agent is expected to process. If the agent interprets those hidden instructions as legitimate, it can leak data or perform sensitive actions without the user even noticing.
This technique is precisely what made ClawJacked possible — a vulnerability that allowed malicious websites to perform brute-force attacks and hijack locally running OpenClaw instances. Researchers at Oasis Security discovered the flaw, which enabled attackers to silently exfiltrate data by abusing the agent’s native autonomy. OpenClaw patched the issue in version 2026.2.26, released on February 26.
This type of attack is particularly dangerous because it does not depend on any explicit user action. Simply visiting a compromised page is enough for the local agent to be exploited. It is the kind of scenario that dismantles any argument like I am careful about the links I click. Here, user caution is not enough because the attack vector exploits the agent’s own logic, not human carelessness.
ClawHub and the ClawHavoc malware campaign
The security challenges go well beyond vulnerabilities in the core platform. ClawHub, a community repository for sharing OpenClaw skills, was exploited to distribute malicious packages disguised as trading bots, utilities, or development tools. Once installed, these skills can deploy info-stealing malware directly on the user’s machine.
In early 2026, investigators uncovered ClawHavoc, a large-scale malware campaign targeting the software supply chain of OpenClaw users. Attackers uploaded more than 1,100 malicious skills to ClawHub, many posing as productivity, crypto, or programming tools. An attacker identified as hightower6eu uploaded dozens of nearly identical malicious skills. Several of them became some of the most downloaded packages on the platform.
This attack made it clear that the OpenClaw skills ecosystem has turned into a target-rich environment for malicious actors. The open, community-driven model — which is one of the tool’s biggest draws — is also what makes it most exposed to this kind of abuse when robust package verification and curation mechanisms are not in place.
The vulnerability tracking system is falling behind
Agentic AI is growing fast, and the volume of vulnerabilities is outpacing the capacity of traditional tracking systems. The pace of OpenClaw-related disclosures is faster than the CVE assignment process can keep up with, leaving many vulnerabilities without formal CVE identifiers.
This is much more than an administrative problem. Most patch management tools, compliance frameworks, and enterprise security systems rely heavily on CVE IDs to identify risks and track remediation. When vulnerabilities do not receive CVEs, they can simply fail to appear in dashboards, scanners, or automated reports. In practice, this makes them invisible to many organizations.
The vulnerability disclosure landscape is starting to show its limits, and Agentic AI systems like OpenClaw are exposing just how unprepared we are for this emerging class of security problems. The traditional CVE tracking system was built for well-defined, discrete software flaws — not for autonomous systems capable of taking actions, browsing external content, and chaining tools to complete tasks.
As a result, many significant AI security flaws surface first as independent research writeups, vendor advisories, or weird behavioral inconsistencies — not as neatly labeled and cataloged vulnerabilities.
Why the security ecosystem is still playing catch-up
One of the reasons cases like OpenClaw manage to escalate before being contained is structural: the cybersecurity tools available on the market were designed to identify known attack patterns in systems with predictable behavior. Autonomous AI agents, by definition, have adaptive behavior. They take different paths depending on context, and that makes it extremely difficult to distinguish a legitimate action from a compromised one just by looking at execution logs. Security teams need new approaches, and most companies have not implemented those approaches yet.
On top of that, the pace of vulnerability disclosures in 2026 makes it clear that the problem is not isolated. With roughly 15,000 CVEs disclosed this year alone, and a growing share of them related to systems involving generative AI or code produced by language models, it is obvious that the security field is chasing a reality that has already slipped out of control in several areas. Every new agent tool that hits the market without going through a rigorous security review process adds another layer of risk to an environment that was already overloaded.
The path forward involves a mindset shift that goes beyond simply adding more scanners or more firewall rules. Organizations that are serious about adopting Agentic AI need to bake security practices into the agent design from the start — defining minimum permission scopes, implementing rigorous instruction validation at every stage of the pipeline, and establishing monitoring mechanisms that can detect behavioral deviations in real time. This is not optional; it is the bare minimum for operating responsibly in this new landscape.
What changes in practice for anyone using or building agents
For anyone developing or integrating solutions based on Agentic AI, the OpenClaw case works as a map of what not to do. The first lesson is clear: popularity is not a synonym for security. A tool with thousands of stars on GitHub may have been reviewed by plenty of people in terms of functionality and practicality, but that does not guarantee anyone looked at it through the eyes of someone trying to find a gap to exploit. Independent security audits, code reviews focused on AI-specific attack vectors, and red team testing aimed at prompt injection are steps that need to be part of the process before anything goes to production.
The second lesson is about the principle of least privilege applied to autonomous agents. An agent that needs to read log files does not need permission to write to databases. An agent that manages communications does not need access to the payment system. It sounds obvious, but the rush to ship causes many teams to grant broad permissions right out of the gate to simplify initial setup — and then never revisit that decision. This design mistake is exactly what turns a low-impact vulnerability into a critical exploitation vector.
The third lesson is about visibility. Autonomous agents need detailed audit trails that record not just what they did, but why they did it — meaning which instruction triggered which action, in which context, and with which parameters. Without that level of traceability, investigating a security incident in an Agentic AI system is like trying to reconstruct an entire conversation from a single sentence. It is nearly impossible to understand what happened, let alone ensure it will not happen again. 🔍
Treating AI vulnerabilities as system-level risks
In the short term, organizations need to start treating Agentic AI weaknesses as system-level risks — not just as missing entries in the CVE database. That means expanding monitoring beyond traditional CVE feeds, strengthening architectural controls like permission scoping and action auditing, and recognizing that exploitation can happen before any formal disclosure is ever published.
Until industry standards evolve to adequately account for AI-driven systems, resilience will depend on three fundamental pillars:
- Early signal detection — monitoring independent research, vendor advisories, and security communities to identify risks before they enter formal channels
- Rapid containment — having playbooks ready to isolate compromised agents without shutting down the entire operation
- Acknowledgment that AI vulnerabilities are not a future problem — they are already present in production environments, and attackers are not waiting for the rest of the ecosystem to catch up
The reality is that we are diving headfirst into a new class of security problems, and the current infrastructure simply was not built for this. The traditional CVE assignment and enrichment process is working to adapt, but organizations cannot afford to wait for formal updates before taking action.
The Agentic AI landscape in 2026 sends a pretty straightforward message: the speed of AI innovation has outpaced the speed of security. And closing that gap is not the responsibility of a single vendor, framework, or regulatory body. It is a collective effort that demands constant attention, rapid adaptation, and above all, honesty about the size of the challenge ahead. 🛡️
