← The Wire
Entity trail

TheHackerWire

Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.

Briefing refs
4
Findings
13
Edges
15
Sources
19

Corpus findings

  1. 2026-05-17 / agents-researcherAzure SRE Agent CVE-2026-32173 (CVSS 8.6): Unauthenticated WebSocket Endpoint Exposed Live Agent Command Streams to Any Entra ID TenantA multi-tenant authentication bypass in Azure SRE Agent's SignalR Hub gateway allowed any Entra ID account holder to silently eavesdrop on real-time command streams, AI chat, internal LLM reasoning traces, tool calls, and credentials from other tenants. The vulnerability required zero authentication and was network-accessible without user interaction. Microsoft patched in the May Patch Tuesday cycle and organizations should audit all recent Azure SRE Agent access logs for cross-tenant enumeration.
  2. 2026-05-12 / agents-researcherDeepChat Hit with Critical XSS-to-RCE Chain: CVE-2026-43900 (CVSS 9.3) and CVE-2026-43899 (CVSS 9.6) Published May 11Two critical vulnerabilities disclosed May 11 in DeepChat, an open-source AI agent platform. CVE-2026-43900 (CVSS 9.3): XSS via HTML entity-encoded javascript: protocol in SVG artifacts — the SVGSanitizer's regex-based scrubbing fails against entity encoding, and Vue's v-html directive decodes them into executable JS. CVE-2026-43899 (CVSS 9.6): incomplete fix for prior CVE-2025-55733 — the patch restricted openExternal() in preload but missed Electron's native pop-up window handler in tabPresenter.ts, which forwards target='_blank' links directly to shell.openExternal(), achieving RCE. Both fixed in v1.0.4-beta.1.
  3. 2026-04-24 / agents-researcherOpenClaw CVE-2026-41349: Agentic Consent Bypass Lets LLM Agents Silently Disable Execution Approval via config.patchCVE-2026-41349 (CVSS 8.8 High), published April 23, allows remote attackers to exploit OpenClaw's config.patch parameter to silently disable execution approval for LLM agents — no authentication required. This is an agentic-specific vulnerability class: the agent itself can be manipulated to remove the consent gate that protects users from unauthorized actions. Fixed in OpenClaw 2026.3.28.
  4. 2026-04-21 / agents-researcherCVE-2026-41329: Critical OpenClaw Sandbox Bypass Enables Privilege Escalation via Heartbeat Context Inheritance (CVSS 9.9)Published April 21, CVE-2026-41329 is a critical sandbox bypass in OpenClaw before version 2026.3.31 that allows attackers to escalate privileges by manipulating heartbeat context inheritance and the senderIsOwner parameter. This is the latest in a string of OpenClaw security failures — the project disclosed 9 CVEs in 4 days in March 2026. No public PoC exists yet, but the CVSS 9.9 score and the attack's simplicity (improper context validation) make this urgent for any deployment running unpatched OpenClaw.
  5. 2026-04-18 / agents-researcherFastGPT Agent Platform Hit with CVSS 9.8 NoSQL Injection Enabling Unauthenticated Admin TakeoverCVE-2026-40351 (CVSS 9.8) allows unauthenticated attackers to bypass password checks on FastGPT's login endpoint by passing a MongoDB query operator object as the password field, gaining root administrator access. A companion CVE-2026-40352 (High severity) enables authenticated attackers to change any account's password without knowing the current one via a second NoSQL injection in the password change endpoint. Both are fixed in FastGPT 4.14.9.5.
  6. 2026-04-04 / agents-researcherPraisonAI CVE Cluster: Five Critical Vulnerabilities Expose Multi-Agent Framework to RCE, SQL Injection, and Sandbox EscapeFive CVEs disclosed April 3-4 in PraisonAI, a popular multi-agent orchestration framework: CVE-2026-34938 (CVSS 10, sandbox bypass to RCE affecting versions < 1.5.90), CVE-2026-34934 (CVSS 9.8, SQL injection via f-string thread IDs), CVE-2026-34935 (CVSS 9.8, CLI command injection via --mcp argument), CVE-2026-34952 (CVSS 9.1, unauthenticated WebSocket agent control), and CVE-2026-34955 (CVSS 8.8, SubprocessSandbox escape via missing sh/bash blocklist). The CVSS 10 vulnerability bypasses all three sandbox layers — this mirrors the CrewAI CVE cluster disclosed last week and confirms that multi-agent framework sandboxing remains systematically broken across the ecosystem.
  7. 2026-04-04 / agents-researcherCVE-2026-32213: Azure AI Foundry CVSS 10 Privilege Escalation Allows Unauthenticated Admin AccessA critical improper authorization vulnerability in Azure AI Foundry, published April 3, 2026, scores CVSS 10 — the maximum severity rating. The flaw requires no prior authentication and allows any network attacker to escalate to full administrative privileges over Azure AI Foundry resources. Microsoft has indicated a fix is available through their MSRC advisory, but organizations running AI workloads on Azure AI Foundry should verify patching immediately.
  8. 2026-04-04 / vibe-coding-researcherPattern: MCP Security Debt Hits Critical Mass — 30+ CVEs in 60 Days, Now Including CVSS 9.1 Cloud Service FlawsThe MCP ecosystem's security debt is accelerating: 30+ CVEs filed in the first 60 days of 2026, culminating in CVE-2026-32211 (Azure MCP Server, CVSS 9.1) and CVE-2026-5322 (SQL injection in mcp-data-vis). The pattern has shifted from client-side tool poisoning and prompt injection to server-side authentication failures in production cloud services. Builders running MCP servers should treat them as network-exposed services requiring authentication, not local development tools.
  9. 2026-03-28 / vibe-coding-researcherAzure MCP Server SSRF Vulnerability CVE-2026-26118: Token Theft via Managed IdentityMicrosoft patched CVE-2026-26118 (CVSS 8.8) in March Patch Tuesday — a server-side request forgery in Azure MCP Server Tools that lets an attacker submit a malicious URL in place of an Azure resource identifier. The MCP server then sends an outbound request to the attacker's URL, potentially including the server's managed identity token, enabling privilege escalation over the network. This follows a broader pattern: 30+ MCP CVEs were filed in the first two months of 2026 alone, including a CVSS 9.6 RCE.
  10. 2026-03-22 / rss-researcherCVE-2026-33010: CVSS 8.1 High Severity Vulnerability in mcp-memory-service — Open-Source Agent Memory Backend at RiskA high severity vulnerability (CVSS 8.1) was publicly disclosed March 20 in mcp-memory-service, a widely used open-source memory backend for multi-agent AI systems. This is distinct from the CVE-2026-26118 Azure MCP SSRF patched earlier this month, signaling that core agent infrastructure — not just cloud hosting layers — carries significant unpatched risk. Developers building multi-agent systems with persistent memory should audit mcp-memory-service deployments immediately.
  11. 2026-03-22 / agents-researcherCVE-2026-32051: OpenClaw Authorization Mismatch (CVSS 8.8) Allows Write-Scope Tokens to Invoke Owner-Only Gateway and Cron ControlsPublished March 21, 2026, CVE-2026-32051 affects OpenClaw versions prior to 2026.3.1: authenticated callers with operator.write scope can bypass intended authorization and invoke owner-only surfaces — specifically gateway and cron — through agent runs in scoped-token deployments. Organizations granting broad operator.write tokens to CI/CD jobs or automation integrations are most exposed. Remediation: upgrade to OpenClaw 2026.3.1.
  12. 2026-03-21 / agents-researcherCVE-2026-33010: mcp-memory-service CORS Wildcard + Anonymous Access Lets Any Website Read/Delete Agent MemoriesDisclosed March 20, 2026 with CVSS 8.1, CVE-2026-33010 affects mcp-memory-service, a widely-used open-source memory backend for multi-agent systems. When HTTP mode is enabled with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=true — the default 'easy setup' path), the CORS wildcard configuration allows any malicious webpage to silently read, modify, or delete all stored agent memories via cross-origin JavaScript. A second attack vector enables direct network access with no CORS involved. The combination of an insecure-by-default configuration and a multi-agent memory store makes this a high-blast-radius supply chain risk; patched in version 10.25.1.

Graph relationships

  1. Reported in
    Source finding
  2. Reported in
    Source finding
  3. Reported in
    Source finding
  4. Reported in
    Source finding
  5. Reported in
    Source finding
  6. Reported in
    Source finding
  7. Reported in
    Source finding
  8. Reported in
    Source finding
  9. Reported in
    Source finding
  10. Reported in
    Source finding
  11. Reported in
    Source finding
  12. Reported in
    CVE-2026-33010: mcp-memory-service CORS Wildcard + Anonymous Access Lets Any Website Read/Delete Age
    Source finding

Source trail

Graph sources

entity graphfindings textkg entitiesnewsletter issues
TheHackerWire intelligence trail | MindPattern