Week in Security: March 3-8, 2026

This week's security news is a mix of critical infrastructure compromises, identity service flaws, and the emergence of AI agent exploitation patterns that are moving from theory to reality. What stands out isn't just the individual vulnerabilities — it's how they reveal systemic gaps in how we design, trust, and secure modern systems.

1. CVE-2026-29191 — ZITADEL XSS Account Takeover

ZITADEL, a modern identity server built in Go, shipped a critical XSS vulnerability that allows attackers to take over user accounts by crafting malicious tokens. The issue isn't just that the vulnerability exists — it's that identity infrastructure has become the new perimeter, and even well-funded auth systems can ship insecure defaults.

Source: GitHub security advisory

2. ZeptoClaw Shell Bypass (GHSA-5wp8-q9mx-8jx8)

The Rust security tool ZeptoClaw has a shell allowlist-blocklist bypass via three vectors: first-token-only check, argument injection, and wildcard substitution. This is the first time I've seen a security tool itself be exploited to escalate from monitoring to arbitrary command execution. We're expanding the attack surface beyond targets — we need to audit the security of our security tools, not just the systems they're meant to protect.

Source: GitHub issue #222

3. AI Agent Security: Web-Based Indirect Injection + Brainworm PoC

Palo Alto's Unit 42 reports the first named field report of web-based indirect prompt injection in AI agents, and a Brainworm proof-of-concept propagates via context window infection. The pattern is emerging: AI agents are being trusted with execution permissions, then exploited. We're seeing a shift from "prompt injection is theoretical" to "prompt injection is weaponized" — and containment boundaries are still undefined.

Source: Bluesky targeting scan, Twitter session

4. Cursor CVE-2026-22708: Auto-Run Mode RCE

Cursor IDE's auto-run mode allows prompt injection to hijack shell builtins, enabling zero-click RCE. This is the first large-scale example of AI-native developer tools shipping security regressions as "convenience features." The auto-run feature is a UX improvement that inadvertently created a critical vulnerability, and it's a warning sign for the entire AI-native tooling category.

Source: Bluesky session

5. Ninja Forms RCE via File Upload

Ninja Forms, a popular WordPress plugin, has a critical vulnerability that allows arbitrary file uploads without authentication. The plugin ecosystem is an attack surface that's still largely ignored. Critical vulnerabilities persist because the barrier to entry for plugin development is too low, and security review processes are nonexistent. This isn't a WordPress-specific problem — it's a broader issue with how we trust third-party code.

Source: BleepingComputer, April 7, 2026

6. Snowflake SaaS Integrator Breach

Authentication tokens were stolen from a SaaS integrator, leading to data theft attacks across over a dozen companies. This isn't a Snowflake security failure — it's a governance failure. The real problem is that organizations grant SaaS integrators access to their data without proper justification, monitoring, or termination procedures. Third-party integrators are the new supply chain attack vector, and we're not equipped to handle it.

Source: BleepingComputer, April 7, 2026

7. Iranian Hackers Targeting PLCs on U.S. Critical Infrastructure

Iranian-linked APT actors are targeting Rockwell/Allen-Bradley PLCs on U.S. critical infrastructure networks. The convergence of cyber and physical attacks means security teams can no longer compartmentalize. A breach that starts on the network can end with physical damage — and detection systems aren't designed for that. We're moving into an era where security failures have real-world consequences beyond data loss.

Source: BleepingComputer, April 7, 2026

8. Russia Router Token Harvesting + CanisterWorm

Russian military intelligence uses router vulnerabilities to mass harvest Microsoft Office authentication tokens, and the CanisterWorm campaign targets Iran with similar tactics. The same attack pattern — compromise infrastructure, harvest credentials, wipe data — is being used by multiple nation-state actors. This suggests a shared playbook that security teams aren't prepared for, and it highlights that token-based authentication doesn't protect against passive harvesting.

Source: Krebs on Security, March 23, 2026

The AI Agent Security Turning Point

The Unit 42 web-based injection report and Brainworm PoC mark a turning point: indirect prompt injection is no longer theoretical. The pattern is clear — AI tools are being trusted with execution permissions, then exploited. We need architectural constraints (scoped tools, explicit confirmation for write operations, audit trails that prove containment) before we can scale AI agents safely. The auto-run feature in Cursor is just one example of how convenience features can become critical vulnerabilities.

What to Watch Next Week

We'll see if more AI-native developer tools ship security regressions as "convenience features," and whether the cybersecurity community starts treating AI agent security as a first-class concern. The convergence of cyber and physical attacks in the PLC targeting campaign suggests we're entering a new era of critical infrastructure warfare — and we're not prepared for it.