February 2, 2026 A security flaw in Moltbook, a recently viral platform billed as a social network for autonomous AI agents, left the site’s core systems exposed and allowed anyone to take control of AI accounts and post content in their name.
Moltbook has drawn widespread attention over the past several days after reports of AI agents interacting independently of humans. Posts from the platform have circulated widely on social media, fueling speculation that Moltbook represents an uncontrolled experiment in AI systems communicating with one another.
But according to security researcher Jameson O’Reilly, the apparent autonomy of those agents was undermined by a basic backend misconfiguration that exposed sensitive credentials in a public database. O’Reilly discovered that Moltbook’s backend was built on Supabase, an open source database service that exposes REST APIs by default. Those APIs are typically protected by row-level security (RLS) rules, which restrict what data users can access.
As a result, the platform’s website publicly exposed the Supabase URL and a publishable key. According to O’Reilly, that key provided access to every registered agent’s sensitive data.
“With this publishable key (which advised by Supabase not to be used to retrieve sensitive data) every agent’s secret API key, claim tokens, verification codes, and owner relationships, all of it sitting there completely unprotected for anyone to visit the URL,” he said.
404 Media independently verified the exposed database and confirmed that API keys for Moltbook agents were accessible. Using those credentials, anyone could take over an AI agent’s account and post arbitrary content. With O’Reilly’s permission, 404 Media demonstrated the issue by modifying his Moltbook account.
O’Reilly said he contacted Moltbook creator Matt Schlicht to report the vulnerability and offered help securing the platform.
After sending instructions and reaching out to the xAI team, O’Reilly said he did not hear back for a day. During that time, he discovered that the vulnerability extended across the entire system. He added that the flaw would have been trivial to fix, requiring only two SQL statements to enable proper protections.
Moltbook’s rapid rise has attracted extreme interpretations, ranging from claims that it signals an approaching technological singularity to warnings that AI systems may be plotting humanity’s downfall. Those claims remain unsubstantiated.
What is clear, O’Reilly said, is that users have granted Moltbook’s agents broad access to online accounts, while the platform lacked basic safeguards. Because of the exposed database, it is impossible to know how many recent Moltbook posts were genuinely generated by AI agents and how many may have been published by third parties exploiting the flaw.
