AI Agents Just Got Their First Real Security Holes. If You’re Running One, Read This.

For the last eighteen months, the pitch to small business owners has been the same. AI agents are here. They’re ready. Plug them into your email, your calendar, your CRM, your bank account, and they’ll handle the boring parts of running your company. The tech demos are impressive. The vendor decks are polished.

April 2026 just shipped the rebuttal. In the first two weeks of the month, three separate security disclosures landed that every business owner running an AI agent should understand. Not because they’re apocalyptic — they’re not — but because they mark a turning point. The agent stack is now old enough, and adopted enough, that real vulnerabilities are being found, filed, and published. The honeymoon is over.

Here’s the scorecard, in plain English, and what a small business should actually do with it.

1. Microsoft’s AI Integration Shipped With No Password

On April 3, CVE-2026-32211 was published against Microsoft’s @azure-devops/mcp package — the bit of software that lets AI agents talk to Azure DevOps. The bug? Missing authentication. The CVSS score? 9.1 out of 10. That is a serious number. A 9-plus means “remote, unauthenticated, high-impact.” Translation: anyone on the network could point an agent at the service and start issuing commands without logging in.

If you’re not a software company, you’re probably thinking “I don’t use Azure DevOps, so this doesn’t apply to me.” That’s the wrong lesson to take from it. This isn’t a story about Azure DevOps. It’s a story about MCP — Model Context Protocol — which is the plumbing underneath almost every AI agent being sold to businesses today. There are over 10,000 public MCP servers in the wild right now. Most of them were written in the last twelve months. A lot of them were written by people who had never written a production service before. A 9.1 CVE in a Microsoft-published MCP server is the loudest possible signal that the ones your vendors are using haven’t been looked at yet either.

2. Claude Code’s Safety Rules Got Pad-Bypassed

A few days later, researchers at Adversa disclosed a vulnerability in Claude Code — Anthropic’s coding agent — where the tool’s deny rules could be bypassed by padding the input with a chain of fifty no-op subcommands. The deny rules are the safety list you set to tell the agent “don’t ever run these commands.” The bypass made them stop working.

The reason is dull and telling: there was a hard cap of 50 security subcommands in the code, and the attack just exceeded it. The safety rails weren’t wrong. They were finite.

The bypass wasn’t clever. It was arithmetic. The safety rails held up to 50 subcommands. The attacker sent 51. This is what almost every agent safety failure is going to look like for the next two years.

This matters for small businesses for a specific reason. If you’ve set up any kind of agent that runs code, sends email, edits files, or touches your accounting system, you probably configured a deny list. The deny list is how you keep the agent from doing the dangerous things. The Claude Code disclosure is the first public example of a deny list with a loophole. It won’t be the last.

3. Prompt Injection Attacks Are Up 340%

The third item isn’t a single CVE. It’s a trend line. Industry telemetry through Q1 2026 put prompt injection attacks — the class of attack where a malicious input tricks an AI agent into ignoring its instructions — up 340% year over year.

Prompt injection comes in two flavors. The first is the one people already know about: a user types something sneaky into the chat box and the agent does something it shouldn’t. The second is worse and much harder to defend against. It’s called indirect prompt injection, and it works like this: your agent reads an email, a PDF, a web page, a calendar invite, a customer review. Hidden inside that content are instructions aimed at the agent, not the human. The agent reads them. The agent does them.

A customer service agent that reads incoming emails can be told by an incoming email to forward the inbox to an attacker. A scheduling agent that reads calendar invites can be told by a calendar invite to cancel every meeting. The agent doesn’t know the difference between content and commands because, from its point of view, there isn’t one.

Researchers are now calling the worst-case configuration the lethal trifecta: an agent that (1) can access private data, (2) can communicate with the outside world, and (3) reads untrusted input. Almost every small business agent deployment I’ve seen has all three.

What About OpenClaw?

OpenClaw 2026.4.12 shipped on April 12. I’ve written before about the OpenClaw ecosystem and the tools trying to make it safer. This release adds an optional plugin called Active Memory, which lets the agent pull in relevant past context automatically before each reply. On paper it’s a nice quality-of-life feature — your assistant “remembers” things without you having to tell it to.

In practice, Active Memory is a new attack surface. It’s called memory poisoning, and it’s exactly what it sounds like. If the memory store contains anything — a chat log, a note, a document — that was written by anyone who isn’t you, that content will end up in the agent’s prompt on some future turn. Combined with indirect prompt injection, it’s a way to leave instructions for tomorrow’s conversation inside today’s.

The OpenClaw team isn’t doing anything wrong here. The feature is clearly marked as optional and opt-in. But if you turn it on for your business, understand what you’ve turned on.

What a Small Business Should Actually Do

You don’t need to panic. You don’t need to rip out your agents. But if you’re running an AI agent in your business today — or your SaaS vendor is about to ship one to you — here’s the short list of things to ask and do.

Ask your vendors these four questions

• What permissions does this agent have, exactly? Get the list. If they can’t produce one, that’s the answer.
• Where is the audit log? Every action the agent takes should be logged somewhere you can read. “It’s coming in a future release” is not a yes.
• How do I revoke access in 60 seconds? If the agent goes rogue — and one will, eventually — you need a kill switch. Find it before you need it.
• What does the agent read that I didn’t send it? Emails, calendar invites, documents, web pages. Every untrusted source is a prompt injection vector.

Do these three things regardless of vendor

• Segment the blast radius. The agent that answers customer emails should not have access to your bank account, your payroll, or your customer database. Most agents are installed with far more access than they need. Cut it.
• Put a human in the loop for money moves. Sending payments, changing bank details, publishing price changes, firing anyone. These are actions an agent should prepare, never execute.
• Assume the deny list has a hole. If your only protection against the agent doing something dangerous is a configuration setting, you have one layer of defense. Add a second one — usually a separate system that watches what the agent actually does and alerts you if it crosses a line.

The agents are getting better. The security around them is catching up. The businesses that will be fine are the ones that don’t give the agent the keys until the locks are tested.

Where This Is Going

The pattern in April is the pattern for the rest of the year. MCP is going to keep shipping CVEs — there are too many servers, written too fast, by too many teams who haven’t done this before. Deny lists are going to keep having edge cases. Prompt injection is going to keep rising because the economics favor it: attackers can automate, defenders can’t catch everything, and the attack surface grows every time a new vendor adds an agent to a product you already use.

That isn’t a reason to sit out. The businesses using agents well are getting real leverage. But “using them well” now includes security hygiene that six months ago was optional. If your agent deployment doesn’t have a logged audit trail, a revocation path, a minimum-privilege config, and a human in the loop for destructive actions, what you’ve deployed is a liability with a friendly interface.