OpenClaw. Moltbook. CVE-2026-25253.
January 24 – February 23, 2026
1.5 Million Tokens. One Misconfiguration. The First CVE Ever Assigned to an Agentic AI System.
On January 31, 2026, Wiz Security researchers opened a browser, found the Supabase API key hardcoded in Moltbook's client-side JavaScript, and queried the database directly [1]. They had full read/write access to 1.5 million API authentication tokens, 35,000 email addresses, and every private message ever sent between AI agents on the platform [1]. Some of those messages contained plaintext OpenAI and Anthropic API keys [1]. Among the platform's agents were accounts belonging to some of the most prominent figures in AI — including Andrej Karpathy, OpenAI founding member, whose agent's API key was among those directly at risk of impersonation [1].
Three days later, on February 3, security researchers disclosed CVE-2026-25253 — the first CVE ever assigned to an agentic AI system [2][3]. CVSS 8.8. One malicious link. The victim's browser connected to an attacker-controlled WebSocket server, transmitted the authentication token in milliseconds, and handed the attacker complete control of the victim's OpenClaw gateway [2]. At the time of disclosure, 42,000+ OpenClaw instances were exposed on the public internet [3]. 12,812 were confirmed vulnerable to remote code execution [3].
January 24 to February 23, 2026 is the month the abstract became concrete.
AI Agent Security — Month −3 Intelligence
Signal 1 — The Moltbook Database Breach (January 31, 2026)
Moltbook was built fast using AI-assisted development — the Supabase database had no Row Level Security policies, and the public API key was embedded in the client JavaScript that every browser downloaded [1][4]. Wiz Security researchers found the key, made a direct database query, and accessed every table: 1.5 million agent profiles and API authentication tokens, 35,000 email addresses, private messages, vote records, and developer application data [1]. Private messages between agents contained plaintext OpenAI and Anthropic API keys stored as literal strings [1].
Wiz Research confirmed full read/write access within hours of discovery [1]. The breach was not technically sophisticated — the data was accessible because no architectural decision had been made that it should not be.
Among the accounts at risk: Andrej Karpathy, OpenAI founding member and one of the most followed voices in AI, had an agent registered on the platform. His agent's API key was in the exposed database, raising the risk of impersonation at scale [1]. The researcher who first publicly disclosed the exposure warned: "Every agent on the platform is currently exposed — including yours, @karpathy" [1].
What this means: The Moltbook breach makes concrete the core question: why does a real credential need to exist in this context at all? Storage hygiene (no hardcoded keys) is necessary but insufficient. Runtime isolation — preventing the real credential from existing in any accessible context — is the architectural answer.
Signal 2 — CVE-2026-25253: The First CVE Assigned to an Agentic AI System (February 3, 2026)
CVE-2026-25253 (CVSS 8.8) was assigned to a vulnerability in OpenClaw discovered by security researcher Mav Levin of the DepthFirst research team in approximately 100 minutes of analysis [5][6]. The mechanism: OpenClaw's control UI accepted a gatewayUrl parameter from the query string and automatically connected via WebSocket without validating the origin header [5]. A crafted link caused the victim's browser to connect to an attacker-controlled WebSocket server and transmit the authentication token in milliseconds, granting full gateway control [5].
At disclosure, 42,000+ OpenClaw instances were reachable on the public internet [3]. 12,812 were confirmed vulnerable to remote code execution per Betterclaw.io's analysis [6]. 93% were running without authentication [7]. The patch was released in version 2026.1.29 within 72 hours [5]. Belgium's Centre for Cybersecurity published an emergency advisory classifying CVE-2026-25253 as critical, urging organisations to update with "highest priority" [6].
The patch closed the WebSocket origin validation gap. It did not revise the permissions model. Agents that had been running with full disk access, terminal access, and OAuth tokens before the patch continued to hold those permissions after it [5].
What this means: Patching the CVE removed the attack vector. It did not change what an attacker who had already used it could do. The credential the patch was designed to protect was still real.
Signal 3 — ClawHavoc Campaign: 341 Malicious Skills in the Marketplace (Late January–February 2026)
Koi Security researcher Oren Yomtov audited all 2,857 skills available on ClawHub in late January 2026 and found 341 malicious entries — 12% of the entire registry [8][9]. 335 were traced to a single coordinated operation named ClawHavoc [8]. By February 16, 2026, the confirmed number had grown to 824 across an expanded registry of 10,700+ skills [9]. Antiy CERT later confirmed 1,184 total malicious skills at peak — approximately one in five packages in the ecosystem [10].
The attack method was straightforward: malicious skills ran with the same permissions as OpenClaw itself — file system access, terminal access, and stored API keys from configuration files [11]. There was no sandbox between skills and the OpenClaw runtime. CrowdStrike CEO George Kurtz later named ClawHavoc at RSAC 2026 as the first major supply chain attack on an AI agent ecosystem [12].
Signal 4 — Enterprise M&A Response: $29 Billion Assembled, Design Layer Untouched
WitnessAI announced a $58 million funding round on January 13, 2026, led by Sound Ventures (early investor in OpenAI, Anthropic, and SentinelOne) [13]. The company reported 500%+ ARR growth. On February 17, Palo Alto Networks announced intent to acquire Koi Security for $400 million, positioning the deal as establishing "Agentic Endpoint Security as the next frontier of enterprise risk reduction" [14]. Combined with CyberArk ($25 billion) and Chronosphere ($3.35 billion), Palo Alto assembled roughly $29 billion across three acquisitions targeting the agent security governance stack [14]. OWASP published the Top 10 for Agentic Applications (December 2025) and the Grantex audit confirmed that 93% of AI agent projects use unscoped API keys as their sole authentication method, with 0% having per-agent cryptographic identity [15].
Every acquisition and every investment in this window operated on the same assumption: real credentials exist at the agent layer, and the job of security is to govern access to them. None of that spending changes the Grantex number.
Application & API Security — Month −3 Intelligence
Signal 1 — Wallarm 2026 API ThreatStats Report (February 17, 2026)
Wallarm released the 2026 API ThreatStats Report on February 17, 2026 [16][17]. Key findings: 43% of all CISA Known Exploited Vulnerabilities (KEV) additions in 2025 were API-related — 106 of 245 entries [16]. Analysis of 60 API-related breaches: broken authentication caused 52% of incidents; unsafe API consumption caused 27% [16]. 56% of API vulnerabilities are exploitable by low-skill actors; 30% have public exploit code [16]. AI-related API vulnerability growth: 398% year-over-year, with 36% of all AI CVEs involving APIs [16]. Wallarm CEO Ivan Novikov stated: "API security is at the heart of any AI transformation. Every AI application or agent interaction is mediated through an API. If you cannot secure your APIs, you can't secure your AI" [17].
What this means: 52% of API breaches trace to broken authentication — the same root cause devfortress architecture addresses at the design layer. The Wallarm report bridges the classical API security audience and the AI agent security audience: the attack surface is the same layer viewed from different directions.
Signal 2 — OAuth Token Abuse at Scale: Microsoft and SaaS Integration Layer
Microsoft Security Blog confirmed active campaigns exploiting legitimate OAuth protocol redirect URI functionality to redirect government and public-sector targets to attacker-controlled infrastructure [18]. The attack used invalid OAuth scope parameters to trigger redirections without stealing tokens. Microsoft Defender flagged activity across email, identity, and endpoint signals [18]. In parallel, Obsidian Security's February 2026 analysis documented the Salesloft-Drift breach aftermath: "Refresh tokens with no expiration provide indefinite access. Attackers who steal refresh tokens maintain access regardless of password changes or MFA reenrollment" [19]. Two independent OAuth attack classes — session hijacking and redirect abuse — were confirmed simultaneously in enterprise environments.
Signal 3 — Qualys AppSec: AI Application Layer Enters Mainstream Scanning
Qualys' January 2026 Web Application Scanning and API Security bulletin included Langflow, vLLM, BentoML, and n8n — AI workflow and model serving tools — alongside traditional frameworks like React Router, Next.js, and Apache Tomcat [20]. This is the first mainstream AppSec scanning bulletin to include AI application layer tools in the same detection scope as classical web frameworks. OWASP Top 10 2025 enterprise adoption wave (January–February 2026): Broken Access Control #1, Security Misconfiguration #2 [21]. The OWASP Agentic Top 10 maps ASI03 (Identity and Privilege Abuse) directly to OWASP #1 — the same root cause, at different stack layers.
DevFortress' Perspective
January 24 to February 23, 2026 is the month the abstract became concrete. Before this window, the AI agent credential security problem was a risk category — documented by OWASP, modelled by researchers, discussed in developer communities. After this window, it had names: Moltbook. 1.5 million tokens. CVE-2026-25253. CVSS 8.8. One click. Milliseconds. Grantex audit. 93% unscoped. 0% per-agent identity.
The enterprise M&A response arrived in parallel: $58 million to WitnessAI, $400 million to Koi, $29 billion total assembled by Palo Alto across three acquisitions. Every investment operated on the same assumption: real credentials exist at the agent layer, and the job of security is to govern access to them. None of those acquisitions included the design-layer architecture that removes the real credential from the agent context entirely — the layer that makes the governance stack above it unnecessary to invoke.
The inventions underlying that architecture were filed with Kenya's Industrial Property Institute on March 17, 2026 (KIPI KE/P/2026/005970–005973) — six weeks after the Moltbook breach confirmed the problem at scale, and before the larger supply chain incidents documented in Digests 3 through 5. The academic descriptions were published as SSRN preprints — Token-Aliased Closed-Loop Security: Architecturally Eliminating Credential Exposure in Security Monitoring (SSRN 6813141) and Token-Aliased Closed-Loop Security: Comprehensive Authentication Lifecycle Defense Modules (SSRN 6813640) — in May 2026. Two further Zenodo preprints describe the specific aliasing and cross-customer intelligence architectures: Token-Aliased Closed-Loop Security: API Key Aliasing and Third-Party Payload Protection (doi.org/10.5281/zenodo.20663396) and Token-Aliased Closed-Loop Security: Privacy-Preserving Cross-Customer Intelligence and Predictive Trajectories (doi.org/10.5281/zenodo.20663801). The specific architecture for preventing real API keys from entering agent contexts was published as a defensive publication (KIPI KE/P/2026/005972) on Zenodo (doi.org/10.5281/zenodo.19691374) and TDCommons (tdcommons.org/dpubs_series/9907) in April 2026.
Resources
- Platform: devfortress.net · SDK:
npm install devfortress-sdk - Newsletter: devfortress.substack.com
- Academic preprints:
- SSRN: Token-Aliased Closed-Loop Security: Architecturally Eliminating Credential Exposure in Security Monitoring (SSRN 6813141)
- SSRN: Token-Aliased Closed-Loop Security: Comprehensive Authentication Lifecycle Defense Modules (SSRN 6813640)
- Zenodo: Token-Aliased Closed-Loop Security: API Key Aliasing and Third-Party Payload Protection (doi.org/10.5281/zenodo.20663396)
- Zenodo: Token-Aliased Closed-Loop Security: Privacy-Preserving Cross-Customer Intelligence and Predictive Trajectories (doi.org/10.5281/zenodo.20663801)
- Defensive publications (Zenodo): 19683825 · 19691251 · 19691374 · 19691449
- Defensive publications (TDCommons): 9904 · 9906 · 9907 · 9908
DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973
References
[1] Wiz Research. (2026, January 31). Moltbook database breach. Reported in: 404 Media; Dev.to; CXToday; Bastion.tech. [1.5M API tokens; 35,000 emails; plaintext OpenAI/Anthropic keys in private messages; security researcher Jamieson O'Reilly warned @karpathy his agent's key was exposed; Karpathy had previously praised the concept as "the most incredible sci-fi takeoff-adjacent thing I have seen recently"] https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
[2] Levin, M. (DepthFirst). (2026, February 3). CVE-2026-25253 discovery. Reported in: SecurityWeek. [Discovered in ~100 minutes of analysis; patched in v2026.1.29]
[3] The Hacker News. (2026, February). OpenClaw crisis coverage. [42,000+ exposed instances; 12,812 confirmed vulnerable; 93% without authentication]
[4] Jahanzaib.ai. (2026, April 7). OpenClaw Security Crisis 2026: What You Need to Know. https://www.jahanzaib.ai/blog/openclaw-security-crisis-2026-ai-agent-vulnerabilities
[5] Conscia. (2026, February 23). The OpenClaw Security Crisis. https://conscia.com/blog/the-openclaw-security-crisis/ [CVE-2026-25253 mechanism; patch in v2026.1.29 released January 30, 2026]
[6] Betterclaw.io. (2026, April 29). OpenClaw Security 2026: 138 CVEs, Every Vendor Response. https://www.betterclaw.io/blog/openclaw-security-2026 [Belgium CCB emergency advisory; January 31 CVE disclosure date; audit filed GitHub Issue #1796]
[7] Hive Security. (2026, May 7). OpenClaw: How the Viral AI Agent Became 2026's First Major Security Crisis. https://hivesecurity.gitlab.io/blog/openclaw-ai-agent-security-crisis-2026/
[8] OpenClaw Skills / Nassau Roumer. (2026, March 3). OpenClaw March 2026: Current Version, Security Status & What's New. https://openclaw.nasseroumer.com/blog/openclaw-security-crisis-2026/ [Koi Security researcher Oren Yomtov; 341 of 2,857 skills malicious; ClawHavoc named]
[9] Conscia. (2026, February 23). [Citing Koi Security: 824 malicious skills by February 16 across 10,700+ skill registry]
[10] blog.cyberdesserts.com. (2026). AI Agent Security Risks 2026: MCP, OpenClaw & Supply Chain. https://blog.cyberdesserts.com/ai-agent-security-risks/ [Antiy CERT: 1,184 total malicious skills confirmed]
[11] OpenClaw Security Crisis coverage. DEV Community; OpenClaw Skills analysis. [Skills ran with same permissions as OpenClaw runtime — no sandbox]
[12] IBM X-Force. (2026, April 24). What OpenClaw reveals about agentic AI security risks. https://www.ibm.com/think/x-force/what-openclaw-reveals-about-agentic-ai-security-risks [CrowdStrike CEO George Kurtz named ClawHavoc at RSAC 2026 keynote]
[13] WitnessAI. (2026, January 13). $58M funding announcement. Lead: Sound Ventures. [500%+ ARR growth] Reported in SecurityWeek.
[14] Palo Alto Networks. (2026, February 17). Koi Security acquisition announcement. [$400M; "Agentic Endpoint Security as the next frontier"] Combined with CyberArk ($25B) and Chronosphere ($3.35B) acquisitions. Reported in SecurityWeek; The Hacker News.
[15] Grantex. (2026, March). State of Agent Security 2026. grantex.dev/report/state-of-agent-security-2026 [Reviewed 30 AI agent projects; 93% rely exclusively on unscoped environment-variable API keys; 0% have per-agent cryptographic identity; 97% have no user consent flow; 100% have no per-agent revocation] HN discussion: news.ycombinator.com/item?id=47388873 (March 15, 2026)
[16] Wallarm. (2026, February 17). 2026 API ThreatStats Report. BusinessWire. [43% CISA KEV; 52% broken auth; 398% AI API YoY growth; 36% AI CVEs involve APIs; 56% low-skill exploitable] https://lab.wallarm.com/
[17] Wallarm Lab Blog. (2026). Ivan Novikov CEO quote: "If you cannot secure your APIs, you can't secure your AI." https://lab.wallarm.com/
[18] Microsoft Security Blog. (2026, March 2). Active OAuth redirect URI campaigns targeting government organisations. [Invalid OAuth scope parameters; Microsoft Defender signals across email/identity/endpoint]
[19] Obsidian Security. (2026, February 6). OAuth Vulnerabilities Every Security Team Should Know. https://www.obsidiansecurity.com/blog/oauth-vulnerabilities-security-teams ["Refresh tokens with no expiration provide indefinite access..."]
[20] Qualys. (2026, February 3). Web Application Scanning and API Security bulletin — January 2026. [Langflow, vLLM, BentoML, n8n included alongside React Router, Next.js, Apache Tomcat] https://notifications.qualys.com/
[21] OWASP. (2025). Top 10 Web Application Security Risks 2025. [Broken Access Control #1; Security Misconfiguration #2] Multiple analysis sources: Rafter.so; Aikido.dev; SentinelOne; Keydal.net.
Previous: Deep Digest 1 · Next: Deep Digest 3
