Multiple Misconfiguration and Access-Control Flaws Expose AI and SaaS Platforms to Data Theft and Account Takeover
Security researchers reported a critical Moltbook exposure caused by an unauthenticated database/API access issue that allowed enumeration of agent records (e.g., GET /api/agents/{id}) and leakage of email addresses, JWT login_tokens, and third-party api_keys, enabling agent hijacking and downstream abuse of connected services. Separately, Cal.com Cloud was found vulnerable to a chained set of broken access controls and signup/invite-token logic flaws that enabled complete account takeover and access to sensitive booking data (attendee details, emails, and booking histories) at scale, including organizational accounts.
In parallel, SentinelLabs documented that roughly 175,000 internet-exposed Ollama instances were reachable due to common deployment misconfiguration (binding to 0.0.0.0/public interfaces), creating conditions for arbitrary code execution and access to external resources—especially where tool-calling features were enabled. A distinct IoT case study described Molekule air purifiers exposing fleet-wide telemetry because an AWS Cognito Identity Pool permitted unauthenticated access to AWS IoT Core MQTT subscriptions, leaking device shadow data (e.g., Wi‑Fi SSIDs, MAC addresses, device names, sensor readings) for ~100,000 devices; the disclosed policy reportedly allowed read/subscribe access but not device control without per-device certificates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Moltbook reportedly remains unpatched and unresponsive to disclosure
The Moltbook report states the company had not confirmed any patch and was unresponsive to vulnerability disclosures at the time of publication. Researchers recommended revoking exposed keys, sandboxing agents, and auditing for compromise.
Researchers disclose Moltbook data exposure and mass fake-account abuse
By February 1, 2026, researchers reported that Moltbook exposed email addresses, login tokens, and API keys through an unauthenticated API or database misconfiguration with predictable agent IDs. They also said the platform lacked account-creation rate limiting, allowing a single OpenClaw agent to create hundreds of thousands of fake accounts and inflate user counts.
Researchers report 175,000 Ollama servers exposed to the internet
On January 30, 2026, SentinelLABS reported that roughly 175,000 Ollama hosts were publicly accessible, often because administrators changed the default local-only bind setting to a public interface. The report warned that exposed tool-calling and weak authentication could enable remote code execution and unauthorized access to external systems.
Researcher discloses unauthenticated MQTT access in Molekule air purifiers
A vulnerability report published on January 29, 2026 described unauthenticated access to the MQTT broker used by Molekule IoT air purifiers. The disclosure indicates the devices' messaging infrastructure could be reached without authentication.
Cal.com patches account takeover in version 6.0.8
Cal.com said it fixed the account takeover issue in version 6.0.8 after the flaws were identified. Additional fixes to restrict internal route handler access were released within days to address related exposure paths.
Gecko Security discovers chained Cal.com account takeover flaws
On January 26, 2026, researchers reported discovering three connected vulnerabilities in Cal.com Cloud, including broken invite-flow validation and an IDOR issue. The chain allegedly allowed attackers to overwrite victim passwords, hijack accounts, and access or delete booking data.
Moltbook launches in late January 2026
Moltbook, an AI-agent social network created by Octane AI's Matt Schlicht, launched in late January 2026. The later vulnerability report ties exposed data and account abuse to this newly launched platform.
SentinelLABS and Censys begin long-term scan of exposed Ollama hosts
Researchers from SentinelLABS, working with Censys, conducted a 293-day internet scanning effort to measure public exposure of Ollama servers. Over the course of the study they recorded 7.23 million observations across 130 countries and 4,032 autonomous system networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Moltbook AI Vulnerability Exposes Email Addresses, Login Tokens, and API Keys
cybersecuritynews.com
Open source175,000 Exposed Ollama Hosts Enable Code Execution and External System Access
cybersecuritynews.com
Open sourceVulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers | Dominik Zürner
zuernerd.github.io
Open sourceCal.com Broken Access Controls Exposes Millions of Bookings and Leads to Complete Account Takeover
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Insecure Public Exposure of Self-Hosted AI Infrastructure (Ollama and MCP Servers)
Security researchers and media reporting highlighted widespread **public exposure of self-hosted AI infrastructure** caused by rushed, poorly governed deployments. Reporting cited **14,000+ internet-accessible Ollama inference servers**, with one analysis estimating **~20%** hosting models susceptible to unauthorized access, and separate findings identifying **10,000+ Ollama servers** exposed **without any authentication**—often due to developers binding services to all interfaces or standing up local inference/gateway components (e.g., *LiteLLM*, *vLLM*) outside normal asset inventories. The net effect is “shadow AI” that creates material blind spots for security teams and increases the likelihood of unauthorized model access, data exposure, and abuse of internal AI services. In parallel, enterprise adoption of **Model Context Protocol (MCP) servers**—which bridge LLMs to internal tools and data—has introduced similar exposure risk when deployed without access controls. Guidance and analysis noted that MCP, introduced as an open standard without native role restrictions, leaves security implementation to operators; researchers reportedly identified **nearly 2,000 MCP servers** on the open web with **no security controls**, increasing risk of unauthorized access, data loss, and potentially **arbitrary command execution** via overly privileged integrations. A vendor announcement positioned an AI-agent governance platform (*MintMCP*) as a response to these visibility and control gaps (audit trails, policy enforcement, access controls), but it primarily serves as product marketing rather than independent incident reporting.
Mar 21, 2026
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026
Moltbook Data Exposure and Emerging Risk of Viral AI Prompt Worms
Security researchers reported a major data exposure affecting **Moltbook**, an AI-agent-focused social network used by autonomous agents such as **OpenClaw**. According to a **Wiz** analysis, misconfigured *Supabase* backend controls—specifically an exposed Supabase API key in client-side JavaScript combined with missing **Row Level Security (RLS)**—allowed database access and schema enumeration via **GraphQL**, resulting in exposure of **~4.75 million records**. The leaked data reportedly included **~1.5 million API authorization tokens**, **tens of thousands of human email addresses**, **4,060 private messages between agents**, and **OpenAI API keys stored in plaintext** within some messages, creating a direct risk of account takeover/agent impersonation and downstream API abuse. Separate reporting highlighted the broader security implications of rapidly spreading, “viral” **prompt-based worms** in agentic AI ecosystems, noting that today’s major model providers can sometimes disrupt malicious agent activity through API monitoring and key termination, but that this control diminishes as capable **local models** become more accessible. A third item referenced **CVE-2026-24763** (an authenticated command injection issue in OpenClaw’s Docker execution via the `PATH` environment variable), but the provided material does not include substantive details tying it to the Moltbook exposure or the prompt-worm discussion beyond the shared OpenClaw ecosystem context.
Mar 21, 2026