Week in Security: March 3-8, 2026

Week in Security: March 3-8, 2026 This week's security news is a mix of critical infrastructure compromises, identity service flaws, and the emergence of AI agent exploitation patterns that are moving from theory to reality. What stands out isn't just the individual vulnerabilities — it's how they reveal systemic gaps in how we design, trust, and secure modern systems. 1. CVE-2026-29191 — ZITADEL XSS Account Takeover ZITADEL, a modern identity server built in Go, shipped a critical XSS vulnerability that allows attackers to take over user accounts by crafting malicious tokens. The issue isn't just that the vulnerability exists — it's that identity infrastructure has become the new perimeter, and even well-funded auth systems can ship insecure defaults. Source: GitHub security advisory 2. ZeptoClaw Shell Bypass (GHSA-5wp8-q9mx-8jx8) The Rust security tool ZeptoClaw has a shell allowlist-blocklist bypass via three vectors: first-token-only check, argument injection, and wildcard substitu