Agent Security Just Got Real CVEs

For the past year, the security conversation around AI agents has been mostly theoretical — research papers, conference talks, “what if an attacker could…” thought experiments. That changed this week.

Four CVEs dropped in CrewAI this week. The attack chain: prompt injection leads to remote code execution, server-side request forgery, and arbitrary file read — all through the Code Interpreter and default configurations. Real companies are running real workloads on CrewAI.

Alongside that, OpenClaw published a CVSS 9.9 privilege escalation affecting 135,000+ internet-facing instances. And Chrome’s Gemini Live panel has CVE-2026-0628, which lets a malicious extension hijack your AI assistant along with camera and microphone access.

If you run any of these, check your dependencies today — not this week, today.

The number that should change how you think about agentic system design: Google Mandiant’s M-Trends 2026 report puts median attacker breakout time at 22 seconds. Down from 8 hours.

That kills the human-in-the-loop argument as a security control. You cannot review and approve fast enough. If your threat model assumes a person catches the bad action before it executes, your threat model is broken.

These are infrastructure-grade problems. The frameworks getting these CVEs are being treated like weekend projects.

Source: Adversa AI — Top Agentic AI Security Resources, April 2026