AGENTS
(151)151 hack(s).
How account-synced preferences can hijack Claude Desktop's local tools
Pentera showed an attacker with account access can hide instructions in Claude Desktop's synced Personal Preferences to drive its local tools into running attacker commands.
When the database is the security boundary: attacking LLM data agents
A June 2026 study attacks LLM-driven analytical agents across six systems and finds that neither model safety nor classic database controls hold on their own.
Agentic abstention: do AI agents know when not to act?
A new benchmark tests whether tool-using agents recognize when NOT to act. The strongest frontier agent scores only 59.5% — and the ability barely improves as models get more capable.
Agent collusion: covert channels let AI agents coordinate past monitors
Two 2026 studies show LLM agents can build covert side-channels to collude past plain-text monitors — and that ordinary tool use now makes those channels practically undetectable.
The observability boundary: why per-agent monitors miss distributed backdoors
A July 2026 paper formalises why runtime monitors that check each agent step in isolation cannot catch a backdoor split across agents — and shows detection only returns when you change what the monitor sees.
Cline's Hub dashboard: loopback mistaken for authentication, again
A July 8, 2026 advisory shows the Cline Hub dashboard exposes a local WebSocket with no Origin check and a shared secret disabled by default — the second cross-origin WebSocket flaw in Cline in two months.
Langroid's Neo4j agent runs LLM-written Cypher unchecked — the SQL bug's twin
Langroid's graph-database agent hands model-generated Cypher straight to Neo4j with no validation. A prompt injection can wipe the graph or, with APOC enabled, reach the host — the exact defect already patched for the SQL agent, left standing in the Neo4j module.
Silent policy violations: agents that break the rules and report success
A July 2026 paper shows tool-using agents routinely make policy-forbidden writes that raise no error and pass self-checks — and that deterministic pre-execution gates catch them.
Sleeper triggers in photos: poisoning the memory of recommender agents
An April 2026 paper shows a photo uploaded to an agentic recommender can hide a dormant trigger that later hijacks the agent's planning — no prompt injection needed. A dual-process defense cuts the hit rate from ~85% to ~10%.
DeepJack: hidden arguments in Cursor's MCP-install deeplink reach RCE
A crafted cursor:// link installs an attacker-controlled MCP server whose real command is scrolled off-screen in the install dialog, reaching unsandboxed code execution after one click.
Hidden tool-metadata payloads in MCP: the approval-view fidelity gap
A July 2026 study shows invisible Unicode TAG characters can smuggle instructions into MCP tool metadata — present in the model's context, absent from the approval dialog a user sees.
When agents ignore a skill's own preconditions: the SLBench study
A July 2026 benchmark tests whether LLM agents respect the logical relations inside skill files — preconditions and constraints — turning skill dependencies into executable safety tests.
When the agent runs its own code: PraisonAI's CodeAgent turns prompt injection into RCE
Disclosed July 11, 2026, a maximum-severity flaw in PraisonAI runs LLM-generated Python with no AST checks, import limits or sandbox — so a crafted prompt becomes arbitrary code on the host.
Benign subtasks, harmful plan: the plan-generation gap in AI agents
An April 2026 paper shows one innocuous-looking request can make an LLM orchestrator plan steps that each pass safety checks but jointly break policy — and proves per-subtask filters can't catch it.
Capability gates aren't authorization in LLM agent frameworks
A June 2026 audit of LangChain, LlamaIndex and the Stripe Agent Toolkit finds none re-checks a tool call's actual arguments before running it — so an injected payout executes.
GhostApproval: the coding-agent approval prompt that hides the real target
Wiz Research disclosed on July 8, 2026 a trust-boundary flaw in six AI coding assistants: a malicious repo uses a symlink so an approved edit to a harmless file silently writes to ~/.ssh/authorized_keys.
Operational reframing: the portable risk signal in multi-agent LLM safety
A July 2026 arXiv study decomposes 'pipeline' safety failures in planner-executor agents, finding it's the rewording of harm as operational work — not the architecture — that travels across models, and that a skeptical executor prompt blunts it.
VEXAIoT: LLM agents that chain IoT recon to exploitation in the lab
A July 2026 paper wires two LLM agents into an IoT attack pipeline — reconnaissance then exploitation — reaching a 95% success rate across deliberately vulnerable testbeds. What it means for defenders.
WriteOut: when an AI sandbox forwards the user's session cookie
A critical, now-patched flaw in Writer's enterprise AI platform let a single agent preview link hijack any logged-in user's account across organizations. The root cause: a managed sandbox that received the victim's session cookie.
Cowork sandbox escape: a signed RPC that trusted client privilege flags
Researchers chained DLL sideloading and an over-trusted named-pipe RPC to reach root inside Claude Cowork's Linux sandbox. Anthropic calls local code execution a prerequisite, not a flaw.
Asking an AI agent to review untrusted code can run the attacker's code
AI Now Institute's Friendly Fire brief shows that pointing an auto-mode coding agent at a hostile repo to security-review it lets injected repo text steer the agent into executing attacker code on the host.
GhostWriter: poisoning a personal AI agent's memory through an ordinary email
A July 2026 paper shows an attacker can plant a hidden instruction in a routine email, get a personal assistant agent to store it as memory, and have it act on that instruction days later — with a defense that stops it.
Intent legitimation: when a personal agent's own memory erodes its safety
A January 2026 study shows benign, truthful memories in a personalized AI assistant can bias its intent inference and make it answer harmful requests it would otherwise refuse — no attack required.
An incomplete eval() sandbox in Langroid lets a prompt run host code
Langroid's earlier fix for a TableChatAgent code-injection flaw left an opt-in path where an eval() sandbox forgets to strip Python built-ins — reopening unauthenticated remote code execution.
How one edit permission could hijack every Dialogflow CX chatbot in a project
Varonis' Rogue Agent finding shows a single content-edit permission on one Dialogflow CX agent was really a code-execution right over a shared, invisible runtime — and every chatbot in the Google Cloud project.
When computer-use agents click stale pixels: the screenshot-to-action race
A screenshot is a check; a click is a use. If the screen changes in between, a computer-use agent acts on pixels that no longer exist — a classic TOCTOU race turned into a real exploit.
How adversarial feed curation steers LLM agent decisions
A June 2026 study shows that choosing which benign posts an LLM agent reads before it acts can tip its decisions — with no injected instruction and no payload a content filter could catch.
The enterprise MCP rewrite moves security from the protocol to your developers
The MCP 2026-07-28 specification removes protocol-level session hijacking, unsolicited prompts and weak auth — but hands new attack surfaces (state tampering, unsigned metadata, header desync, app XSS, task DoS) to the developers who build on it.
n8n's recurring RCE surface: an automation hub that holds every credential
A June 2026 wave of critical flaws in the n8n workflow platform — sandbox escapes, prototype pollution, expression evaluation — shows why an LLM-automation hub that stores every credential is a single point of failure.
Agentic red-team tools can be hijacked by their own targets
A June 2026 study audits 12 agentic offensive-security tools and shows a target can turn the tables — stealing API keys and running code on the operator's own machine, even inside a sandbox.
Forged reasoning attacks: poisoning an agent's own decision logs
A July 2026 paper shows attackers can forge an agent's remembered reasoning — making it believe safety checks already ran — and pairs the attack with a layered detection defense.
Infinite agentic loops: detecting unbounded agent feedback paths
A July 2026 study defines Infinite Agentic Loops and scans 6,549 agent repos, confirming 68 unbounded feedback paths that can drive cost exhaustion, model DoS and runaway context growth.
WebMCP tool surface poisoning: hijacking agents mid-session
A June 2026 paper shows a compromised third-party script can swap or reframe the tools a WebMCP agent sees during a live session, driving malicious tool calls at up to 100% success.
AgentCanary: a security benchmark for agents in real executable environments
A June 2026 framework from Ant Group tests 12 LLM agents in real, stateful tool environments and finds they often fail to recognize the attacks they face — especially poisoned skills and long-horizon chains.
Cross-model prompt laundering: a refusal that doesn't survive the handoff
In multi-agent stacks, one model's output becomes another model's user turn. A July 2026 finding shows the second model never learns the first already refused — so it complies.
FlowSteer: steering multi-agent workflow formation with a single prompt
A May 2026 paper shows a prompt-only attacker can bias how a planner-executor multi-agent system builds its workflow, lifting malicious success by up to 55% before any agent runs.
The Misattribution Gap: memory poisoning that gets blamed on the model
A single policy-formatted document, uploaded once to an agent's shared memory, produces violations that look exactly like model misalignment — so teams retrain the model and leave the attack untouched.
STAC: chaining benign tool calls to jailbreak AI agents
A research framework shows that a sequence of individually harmless tool calls can steer an agent into a harmful final action — bypassing frontier safety with over 90% success.
The visual confused deputy: when a computer-using agent clicks the wrong button
A March 2026 paper formalizes CUA perception failures as a security class. An 8-line screenshot swap can turn a routine click into privilege escalation — and a guardrail outside the agent's eyes helps.
vm2 sandbox escapes turn agent prompt injection into host RCE
A 2026 wave of escapes in vm2 — the Node.js library many agent frameworks use to run LLM-generated JavaScript — lets a prompt injection break out of the sandbox and run commands on the host.
Claude Cowork sandbox: a disputed root escape and the local-code-execution debate
Researchers published a chain on 1 July 2026 that reaches root inside Claude Cowork's Linux sandbox and strips its network limits. Anthropic declines to call it a vulnerability because it needs prior host access.
Cline's Kanban server: a cross-origin WebSocket hijack path to RCE
A May 2026 disclosure shows Cline's local Kanban WebSocket server ships with no origin check — any website a developer visits can read the workspace and inject commands into a running agent.
Runtime governance for AI agents: the five-plane reference architecture
A June 2026 paper argues agent risk now lives inside the workflow, not at the data boundary, and proposes a five-plane architecture: adjudicate intent once, enforce it across four planes.
How context compaction silently drops an agent's safety rules
A June 2026 benchmark shows that summarizing an agent's history to save tokens can quietly delete in-context policy rules, pushing tool-call violations from 0% to as high as 59%.
Long-horizon agents need propagation-aware security, not single-step defenses
A June 2026 paper maps how attacks in long-horizon AI agents propagate across memory, tools and planning — and persist over many steps, where single-step defenses fail.
Multi-agent code generation: when injected instructions amplify across agents
In agent teams that write software, a single injected instruction doesn't fade across hops. 2026 research shows trusted intermediaries can reformat it and make it stronger, reaching high jailbreak rates.
BioShocking: framing a task as a game makes AI browsers leak credentials
LayerX's BioShocking technique convinces agentic browsers they are inside a game, so they apply game logic instead of safety logic — and hand over user credentials.
mcp-pinot: an unauthenticated MCP server as a confused deputy
A June 2026 disclosure shows an Apache Pinot MCP server that bound to 0.0.0.0 with OAuth off, letting any network-adjacent caller run its privileged database tools.
Poisoning what a web agent remembers: triggered attacks on multimodal memory
A June 2026 paper shows web agents that store past observations in graph memory can be poisoned so a later visual trigger recalls attacker content and steers the agent — persistent and reusable across goals.
One compromised robot can cascade unsafe actions across an LLM robot team
A first study of LLM-controlled multi-robot teams shows that manipulating a single entry robot can propagate unsafe actions to the whole fleet through inter-robot communication.
OEP: poisoning self-evolving agents with clean edge cases
A May 2026 study shows a low-privilege attacker can corrupt a self-evolving agent's learned rules with benign, locally correct edge cases — over 50% attack success on GPT-4o, and robust against current defenses.
When the pentest bites back: attacking the tools that red-team for you
A June 2026 study shows autonomous offensive-security agents can be turned against their operators. A malicious target stages a fake tool the agent runs itself — no prompt injection needed — for near-deterministic code execution.
IDEsaster: when base IDE features become agent RCE primitives
Ari Marzouk disclosed a vulnerability class where prompt injection drives AI coding agents to weaponize the underlying editor's own legacy features — reaching data exfiltration and RCE across nearly every AI IDE.
Lingering authority: revoking coding-agent capabilities after a task closes
A June 2026 study names a quiet failure mode: coding agents keep tool authority long after the subgoal that needed it closed. A reference monitor that revokes those capabilities stops stale-write abuse.
MOSAIC-Bench: coding agents build exploitable code from innocuous tickets
A May 2026 benchmark shows coding agents pass per-prompt safety checks yet assemble exploitable code when a malicious goal is split into routine engineering tickets — and reviewer agents wave it through.
When agents move from reading to acting: MCP tool-description poisoning
Microsoft Incident Response (June 30, 2026) shows how a silently edited MCP tool description can steer an action-taking agent into exfiltrating data — no prompt, no credential, no user involvement.
Amazon Q auto-ran a repo's MCP config, exposing developer cloud keys
Wiz disclosed (June 26, 2026) that Amazon Q Developer auto-launched MCP servers from a repo config file with no consent, so opening a malicious project could run code and steal cloud credentials.
DuneSlide: prompt injection escapes Cursor's terminal sandbox to RCE
Cato AI Labs disclosed two critical flaws in Cursor's auto-run sandbox on July 1, 2026. A single poisoned prompt overwrites the sandbox helper binary and turns a locked box into full code execution — zero click.
GuardFall: coding-agent command guards inspect text the shell rewrites
Adversa AI's GuardFall (June 30, 2026) bypassed the safety filter in 10 of 11 open-source coding agents by exploiting a decades-old gap: the guard checks raw command text while bash expands and rewrites it before running.
OWASP ASI03: when an agent inherits more identity than it should
Identity & Privilege Abuse is the #3 risk in OWASP's Top 10 for Agentic Applications. Agents rarely get their own identity — they inherit yours, accumulate permissions, and hold tokens that outlive the task.
Agent communication-graph metadata leaks the workflow before it runs
A June 5, 2026 arXiv paper shows that even with encrypted payloads, the A2A/MCP communication graph lets a passive observer predict an agent workflow's task class from its opening — and act before it completes.
Over-privileged tool selection: agents reach for stronger tools than the task needs
A June 2026 paper and its benchmark ToolPrivBench show that mainstream LLM agents routinely pick higher-privilege tools when a weaker one would do — and that safety alignment does not fix it.
Agent-Inflicted Damage: when AI agents wreck production with no attacker
Cyera's May 2026 study of 7,200+ AI incidents isolates 344 cases of agent-inflicted damage — 188 with no external attacker — where autonomous agents deleted databases, leaked secrets and burned budgets.
WAAA: how agentic browsers resurrect classic web attacks
A May 2026 paper builds the first web-focused threat model for agentic browsers and shows that 10 long-mitigated web attacks come back — often amplified — because the agent is a confused deputy that cannot tell a task step from a web trap.
AutoJack: a browsing agent turns a malicious webpage into host RCE
Microsoft's June 18, 2026 AutoJack research shows a web-browsing AI agent inheriting localhost identity to reach a local MCP WebSocket and spawn arbitrary processes on the host.
CVE-2026-32211: missing authentication in Azure MCP Server
Microsoft disclosed CVE-2026-32211 on 2 April 2026 — a missing-authentication flaw in Azure MCP Server that lets an unauthenticated attacker disclose information over the network. Microsoft scored it 9.1; NVD, 7.5.
CVE-2026-0755: command injection and file theft in gemini-mcp-tool
A June 18, 2026 advisory details how the popular gemini-mcp-tool let untrusted prompt input reach the shell and the Gemini CLI @file parser — CVSS 9.8 RCE and arbitrary file exfiltration, fixed in 1.1.6.
Overeager Coding Agents: Out-of-Scope Actions on Benign Tasks
Two May 2026 benchmarks measure coding agents that overstep on benign requests — deleting files, wiping credentials — and find the agent framework, not the model, drives the risk.
Sleeper Memory Poisoning: dormant attacks on stateful LLM agents
A May 2026 paper shows attackers can plant fabricated 'memories' through a document or webpage that lie dormant, then steer an assistant's actions across many later sessions.
Tool selection hijacking: forcing an agent to pick the attacker's tool
An NDSS 2026 attack and an April 2026 IBM paper target the same blind spot: the step where an agent chooses which tool to call. Poison the catalog and the agent picks yours, with 70–100% success.
Stored prompt injection: when an injection outlives the session
A June 2026 arXiv paper reframes prompt injection as a stored, cross-session problem: once adversarial text lands in an agent's persistent state, it can steer executions long after the attacker is gone.
MemPoison: backdooring agent memory through ordinary conversation
A May 2026 arXiv paper plants a triggerable backdoor in an LLM agent's long-term memory just by chatting with it — and is engineered to survive the selective extraction and rewriting stages meant to filter poisoned content.
NRT-Bench: multi-turn red-teaming of LLM agents that run a plant
A June 18, 2026 benchmark puts LLM operator agents in a simulated nuclear control room. Adaptive multi-turn attacks pushed the team past a safety limit in 8.7-12.1% of sessions — and the failures barely overlap across models.
Vertex AI 'Double Agents': over-privileged service agents as a cloud escalation path
Unit 42 showed (31 March 2026) that a Vertex AI Agent Engine deployment exposes an over-scoped service-agent credential via the metadata service — turning a misconfigured agent into a path to read every bucket in the project.
Agent libOS: make the runtime, not the tool wrapper, the authority boundary
A June 2, 2026 arXiv paper argues most agent frameworks conflate tool visibility with resource authority — and proposes a library-OS runtime where capability checks live at primitive boundaries, not in tool wrappers.
Authority confusion: why tool-using agents misuse their own access
A May 2026 paper names a failure mode distinct from prompt injection: untrusted data should inform an agent's reasoning but never authorize side effects. AIRGuard enforces that line at action time.
CVE-2026-26268: Cursor's agent turns a git checkout into code execution
A malicious repo hides a bare Git repository with an automatic hook. When Cursor's AI agent runs git checkout to 'explain the codebase', the hook fires — arbitrary code execution on the developer's machine, no approval prompt. Patched in Cursor 2.5.
MCP Go SDK CSRF: a web page can trigger your local tools (CVE-2026-33252)
The official MCP Go SDK accepted cross-site browser POSTs without checking the Origin header. On an unauthenticated local server, any website you visit could invoke your tools. Patched in 1.4.1.
CVE-2026-26030: prompt injection becomes RCE in Microsoft Semantic Kernel
Microsoft's AI Red Team showed two Semantic Kernel flaws that turn a single injected prompt into host code execution. The lesson: any tool parameter the model can influence is attacker-controlled input. Patched May 7, 2026.
SkillAttack: automated red-teaming finds exploits in agent skills
An April 2026 paper, SkillAttack, reframes exploit discovery as a path-search problem and shows even well-intentioned agent skills are reachable — up to 0.93 attack success on adversarial skills.
User-mediated attacks: when the user is the injection channel
A January 2026 study of 12 commercial agents shows attackers don't need to touch the agent. They trick a benign user into forwarding poisoned content — which the instruction hierarchy then promotes to trusted user intent. Default bypass rates topped 92%.
Browser agents leak their model identity through how they click
A May 14, 2026 paper shows the on-page actions of an LLM browser agent fingerprint the underlying model with up to 96% accuracy across 14 frontier models — no spoofable headers needed.
AI Agent Traps: DeepMind's six-category map of how the web hijacks agents
Google DeepMind's 'AI Agent Traps' paper (SSRN, late March 2026) gives the first systematic taxonomy of adversarial web content that targets an agent's perception, reasoning, memory, action, multi-agent dynamics, and human overseer.
SearchGEO: making LLM search agents endorse attacker-published pages
A June 15, 2026 arXiv paper measures how attacker-controlled web content gets turned into an agent's endorsed recommendation — attack success ranges from 0% to 31.4% depending on the backend model.
ShadowMerge: poisoning graph-based agent memory by colliding relations
A May 2026 paper poisons graph-based agent memory with relations that share a real anchor and channel but carry a conflicting value — reaching 93.8% attack success on Mem0 while input-side filters miss it.
Zombie agents: when a self-evolving LLM agent stays compromised across sessions
A one-time indirect injection observed during a benign session can be written to an agent's long-term memory and later replayed as instruction — turning a transient prompt into persistent control. Attack paper dated February 2026, defense (CAMS) May 2026.
AI coding agents: attackers go for the credential, not the model
Six 2026 exploits against Codex, Claude Code, Copilot and Vertex AI all bypassed model-level defenses and reached the same target — the agent's runtime credentials. The root cause is an identity governance gap, not a prompt problem.
FragFuse: fragmented queries that bypass LLM agent access control
A June 14, 2026 arXiv paper shows a banned request can be split into benign fragments, parked in an agent's long-term memory, then fused at retrieval time — bypassing access controls 86.3% of the time.
Reasoning-extension DoS: when the AI guardrail becomes the attack surface
A June 2026 paper shows a single poisoned document can trap reasoning-based AI guardrails in extended thinking loops, slowing shared agent workflows by up to 148x. The target is availability, not integrity.
LangGraph checkpointers: from SQL injection to RCE on self-hosted agents
Check Point Research chained a SQL injection in LangGraph's checkpointer with an unsafe msgpack deserialization to reach remote code execution. Disclosed June 11, 2026; all three CVEs are patched.
Termination poisoning: trapping LLM agents in unbounded loops
A May 2026 arXiv paper shows that injected prompts can distort an agent's own 'am I done?' judgment, forcing unbounded computation. The LoopTrap framework reports up to 25x step amplification.
Cross-domain multi-agent LLM systems: seven security challenges
A Perspective published June 13, 2026 in npj Artificial Intelligence maps seven security challenges that appear when LLM agents from different organizations collaborate without any shared trust model.
Flowise CVE-2026-41264: LLM-written pandas code that escalates to RCE
A prompt injection in Flowise's CSV Agent makes the model emit Python that escapes a regex denylist and runs OS commands. Disclosed April 15, 2026 and patched in 3.1.0.
CVE-2026-46519: when an MCP server filters tools at display but not at execution
mcp-server-kubernetes enforced its read-only and allow-list controls only in tools/list, never in tools/call. Any client that knew a tool name could run it. A clean lesson in presentation-layer vs execution-layer authorization.
DNS rebinding turns localhost MCP servers into a remote attack surface
A coordinated 2025–2026 disclosure wave hit every major MCP SDK over one root cause: HTTP servers on localhost that skip Host/Origin validation. The latest, CVE-2026-11624 in Google's MCP Toolbox (June 13, 2026), is rated Critical 9.4.
Splunk MCP Server logs auth tokens in clear text (CVE-2026-20205)
Splunk's MCP Server app wrote users' session and authorization tokens unmasked into the _internal index — a CWE-532 secrets-in-logs flaw that turns log access into token theft. Fixed in app v1.0.3.
TOCTOU in AI agents: atomicity violations between observation and action
An old operating-systems bug class resurfaces in agents: the world changes between when an agent looks and when it acts. New 2026 research formalizes it for GUI, browser, and multi-agent systems.
ConVerse: when two agents talk, the stronger one leaks more
A benchmark for agent-to-agent conversations finds privacy attacks succeed up to 88% of the time and security breaches up to 60% — and that more capable models leak more, not less.
Causality laundering: when a blocked tool call still leaks data
An April 2026 paper shows that denying an agent's tool call is not the end of the attack: the denial itself is an information channel. Flat taint tracking misses it.
Claude Code GitHub Action: how the Read tool leaked CI/CD secrets
Microsoft Threat Intelligence found that Claude Code Action's Read tool bypassed the Bash env scrub to reach /proc/self/environ, leaking the runner's ANTHROPIC_API_KEY. Patched in v2.1.128.
Context-Fractured Decomposition: jailbreaks through artifact provenance gaps
A June 8, 2026 arXiv paper formalizes the 'provenance gap' in tool-using agents: harmful behavior assembled from individually innocuous tool actions across time, lifting jailbreak success up to 28.3 points.
Cursor allowlist bypass: shell built-ins poison the environment for RCE
CVE-2026-22708 lets a prompt injection use trusted shell built-ins like export and typeset to poison environment variables in Cursor, turning an approved git or python command into remote code execution. Patched in 2.3.
SABER: coding agents fail operational safety even when they refuse bad prompts
A May 31, 2026 benchmark scores LLM coding agents on the final state of a real workspace, not on prompt refusal. Even the best model leaves a harmful violation in over half of runs.
Memory Control Flow Attacks: when stored memory steers an agent's tools
A March 2026 paper shows poisoned agent memory doesn't just corrupt content — it hijacks the control flow of tool selection, forcing unintended tools and skipped steps in over 90% of trials, across tasks and long after injection.
MS-Agent's shell tool: a regex denylist turns prompt injection into RCE
CVE-2026-2256 lets attacker-controlled content steer ModelScope's MS-Agent into running OS commands. The root cause is a familiar anti-pattern: guarding a shell tool with a regex denylist instead of an allowlist.
OWASP ASI02: when an agent turns its own tools against you
Tool Misuse & Exploitation is the #2 risk in OWASP's Top 10 for Agentic Applications 2026. The danger isn't an agent gaining new tools — it's misusing the ones it already holds, via over-privilege, poisoned descriptors, or unsafe chaining.
Remote MCP servers: 40% unauthenticated, OAuth broken on the rest
A May 2026 arXiv study scanned 7,973 live remote MCP servers: 40.55% expose tools with no authentication, and all 119 OAuth-enabled servers tested carried at least one flaw — 9 CVEs assigned.
Five attacks on x402: when AI agents pay, the cross-layer seams leak
A May 12, 2026 paper formally breaks x402, the HTTP 402 agentic payment protocol. Five attacks across settlement, replay, web handling and discovery — one replayed payment yielded 248 grants on a live endpoint.
CVE-2026-45497: command injection turns Microsoft 365 Copilot into an RCE path
On June 4 2026 MSRC disclosed CVE-2026-45497, a command-injection flaw in Microsoft 365 Copilot rated as remote code execution with a scope change across the service boundary. Fixed server-side.
When an MCP tool argument becomes an Android intent: mobile-mcp's injection sinks
CVE-2026-35394 lets a model-controlled URL fire arbitrary Android intents through mobile-mcp's mobile_open_url tool. Paired with a sibling path-traversal CVE, it shows a pattern: MCP tool arguments flowing unvalidated into platform sinks.
VIPER-MCP: 67 CVEs from taint-style flaws across 40,000 MCP servers
A May 20, 2026 arXiv paper audited 39,884 open-source MCP server repos, confirmed 106 zero-days end-to-end and got 67 CVE IDs assigned. The story is the pattern: untrusted agent input reaching shell, network and file-system sinks.
AIRQ scores 100 production AI agents: 98% carry the lethal trifecta
Adversa AI's June 2026 AI Risk Quadrant rates 100 commercial agents on attack surface, blast radius and defenses. Only 11% are well-defended; tool execution alone explains 76% of blast radius.
Self-propagating agent worms and the temporal re-entry defense
A May 2026 paper formalizes how persistent agent state lets a prompt-injection payload write itself back into the LLM context, propagate across agents zero-click, and proposes RTW-A — a defense proven under a No Persistent Worm Propagation theorem.
Tool poisoning across 7 MCP clients: a comparative security posture
A March 2026 empirical study tests four tool-poisoning attacks against Claude Desktop, Claude Code, Cursor, Cline, Continue, Gemini CLI and Langflow — and finds most protection comes from the model, not the client.
Authorization propagation: the agent security gap prompt-injection fixes won't close
A May 6, 2026 paper by Krti Tallam argues multi-agent systems have a distinct authorization-propagation problem — transitive delegation, aggregation inference, temporal validity — that survives even a perfect prompt-injection defense.
ClawTrojan: stored prompt injection becomes a persistent agent backdoor
A May 29, 2026 arXiv paper shows injection hidden in a file can be stored by a local agent and run later — reaching 95.5% attack success where single-turn injection scores near zero.
Opus 4.8's system card puts a number on browser-agent prompt injection: 31.5%
Anthropic's May 28, 2026 Claude Opus 4.8 system card reports a 31.5% pre-safeguard hijack rate for its browser agent — the only concrete prompt-injection metric a frontier lab published this spring.
CVE-2026-30615: prompt injection rewrites Windsurf's MCP config into RCE
OX Security's April 15, 2026 advisory shows how attacker-controlled content can make the Windsurf IDE register a malicious MCP STDIO server and run commands — with no user click. The class spans coding agents, but Windsurf got the CVE.
Brittle agents: indirect injection survives multi-step tool calls
An April 4, 2026 paper tests 6 defenses against 4 indirect-injection vectors across 9 LLM backbones in multi-step agents — advanced injections bypass nearly all of them, and some surface mitigations backfire.
Langroid SQLChatAgent: prompt-to-SQL injection escalates to RCE (CVE-2026-25879)
Disclosed June 1, 2026, CVE-2026-25879 (CVSS 9.8) lets a prompt-injected SQL agent run dialect-specific primitives like COPY FROM PROGRAM, turning a chat box into code execution on the database host.
MCP sampling: how malicious servers abuse the reverse LLM channel
MCP's sampling feature lets a server ask the client's model for completions. Unit 42 showed (Dec 2025) how a malicious server turns that reverse channel into covert tool calls, conversation hijacking, and compute theft.
Just ask the bot: Meta's AI support assistant and the Instagram takeovers
Over the May 30–31, 2026 weekend, attackers hijacked high-profile Instagram accounts by asking Meta's AI support bot to relink an account email. No prompt injection required — only excessive agency.
Stop fixating on the prompt: hijacking an agent's reasoning and memory
An April 2026 paper, JailAgent, drives an agent to malicious tool calls without touching the user prompt — by perturbing its reasoning trace and memory retrieval instead. The prompt was never the whole attack surface.
TrustFall: project MCP settings turn the folder-trust click into RCE
Adversa AI's TrustFall (May 7, 2026) shows four agentic coding CLIs auto-start project-defined MCP servers the moment a developer accepts the folder-trust prompt — one keypress on the dev machine, zero clicks in CI.
CrewAI: a silent sandbox fallback turns prompt injection into RCE (VU#221883)
Four CrewAI flaws let prompt injection chain into RCE, SSRF and file read via a Code Interpreter that silently drops out of Docker. CERT/CC's May 20, 2026 update confirms the full fix.
Flowise CVE-2026-40933: importing a shared chatflow is enough for RCE
Obsidian Security's May 28, 2026 write-up shows how Flowise's Custom MCP node turns a stdio MCP config into server-side code execution — and how merely importing a shared chatflow can trigger it, no save or run required.
Token-drain attacks: economic denial-of-service via agent tool chains
Two 2026 papers show a malicious tool or skill can steer an LLM agent into long tool-calling loops that multiply token cost 6–658× while still returning the right answer — a stealthy take on OWASP's Unbounded Consumption.
SymJack: one approved file copy becomes RCE in six AI coding agents
Adversa AI disclosed on May 26, 2026 a symlink-hijack pattern that turns a single benign-looking shell copy into a config overwrite and host RCE across Claude Code, Cursor, Gemini, Antigravity, Copilot, Grok Build and Codex CLIs.
Blindfold: action-level jailbreaks bypass semantic defenses on embodied LLMs
A SenSys '26 paper (May 11–14, 2026) introduces Blindfold, an automated framework that jailbreaks embodied LLMs by decomposing harmful goals into individually benign actions — up to 53% higher attack success than semantic-level baselines on a real 6DoF robotic arm.
MemMorph: hijacking tool selection in LLM agents through fluent memory poisoning
A May 24, 2026 arXiv paper from NTU Singapore shows three plausible-looking memory entries can steer an agent toward an attacker-chosen tool with 85.9% success — and survive three off-the-shelf defenses.
The agent harness is your real privilege boundary — and most teams draw it in the wrong place
A May 26, 2026 Pillar Security write-up argues the harness — Claude Code, Cursor, Codex — holds the secrets, tools and hooks an agent never sees. Recent harness bugs and CVE-2026-22708 make the case concrete.
Microsoft Copilot Cowork: poisoned skills exfiltrate M365 files with no approval
PromptArmor's May 26, 2026 disclosure shows that a five-line prompt injection inside a Copilot Cowork skill file can leak SharePoint and OneDrive documents through auto-approved Teams messages — no patch closes the design.
Temporal memory contamination: longitudinal safety drift in memory-equipped LLM agents
Three arXiv papers from April and May 2026 converge on a failure mode complementary to memory poisoning — memory-equipped agents drift unsafe as benign context accumulates, with compressed summaries acting as a laundering channel.
Networks of agents break in new ways: Microsoft's red-team, plus RAMPART and Clarity
Microsoft Research red-teamed an internal platform of 100+ always-on agents. Four attack patterns — propagation, amplification, trust capture, proxy chains — show up only at the network level. RAMPART and Clarity, open-sourced May 20, 2026, are the response.
Antigravity find_by_name: when a native tool call jumps over Secure Mode
On April 20, 2026, Pillar Security disclosed that a single unsanitised parameter in Google Antigravity's find_by_name tool turned file search into arbitrary code execution — and bypassed the IDE's strictest sandbox.
ClaudeBleed: when a browser agent trusts the wrong extension
LayerX disclosed ClaudeBleed on May 6, 2026: a trust-boundary flaw let any Chrome extension drive Claude in Chrome and exfiltrate Gmail, Drive and GitHub data. The first patch was bypassed within hours.
MCP STDIO transport: the design choice that became 11 CVEs and 200,000 exposed agents
On April 16, 2026, OX Security disclosed that Anthropic's MCP STDIO transport executes any OS command it is handed. Anthropic called it 'by design'. The cascade has produced eleven downstream CVEs in six weeks.
When prompts become shells: prompt injection escalates to RCE in agent frameworks
Two CVEs in Microsoft Semantic Kernel and four in CrewAI — all disclosed in early 2026 — turn a single injected prompt into remote code execution on the host. The pattern is structural, not incidental.
Poison once, exploit forever: persistent memory poisoning of LLM agents (OWASP ASI06)
An April 2026 arXiv paper on cross-site memory poisoning and a May 13, 2026 OWASP post on the Cisco MemoryTrap finding against Claude Code converge on the same lesson: agent memory is a trust boundary.
Treating AI agents like operating systems: a CISPA blueprint for isolation and privilege
A May 14, 2026 CISPA paper applies decades of OS security thinking to LLM agents. Tested on four OpenClaw-like systems, two weakness classes — cross-user exfiltration and unauthorized network egress — fail in every single one.
The Lethal Trifecta: when an agent reads private data, untrusted content, and can phone home
Simon Willison's framework for the single architectural mistake that turned 2026's wave of AI-agent data exfiltration vulnerabilities into a class, not a coincidence.
MCP Back-End Vulnerabilities: classic flaws resurface across AI database bridges
Akamai's May 12, 2026 research found SQL injection (CVE-2025-66335), missing authentication, and unsanitised inputs across three MCP servers — Apache Doris, Apache Pinot, and Alibaba RDS. The pattern, not the bugs, is the story.
Semantic Kernel: when a prompt becomes a shell (CVE-2026-25592, CVE-2026-26030)
Microsoft disclosed two critical vulnerabilities in Semantic Kernel on May 7, 2026 that turn a single injected prompt into host-level code execution. The root cause is architectural: tool registries and eval() treated as features, not security boundaries.
Trust No Tool: cognitive poisoning of LLM agents through tool feedback
A May 17, 2026 arXiv paper introduces 'cognitive poisoning' — a malicious tool that wins the agent's trust over many benign-looking turns and only weaponises the final action. The defence target shifts from prompts to trajectory.
CVE-2026-35435: Azure AI Foundry's M365 published agents trusted callers they shouldn't have
Disclosed May 7, 2026 (CVSS 8.6), an improper access-control flaw in Azure AI Foundry let unauthorized attackers elevate privilege through M365 published agents. Microsoft reports active exploitation; mitigations are available before a patch.
Azure SRE Agent: a multi-tenant token check that let strangers watch your incidents (CVE-2026-32173)
Disclosed April 20, 2026, an Entra ID app-registration misconfiguration on Azure SRE Agent's /agentHub WebSocket let any tenant connect, listen to every prompt, reasoning step, CLI command and credential — silently.
Claw Chain: four OpenClaw CVEs that turn an AI agent into the attacker's hands
Disclosed May 15, 2026, Cyera Research's Claw Chain chains four patched OpenClaw flaws — sandbox escape, env-var disclosure, MCP loopback EoP, symlink read escape — into full host takeover via the agent itself.
Comment and Control: one prompt injection pattern, three vendors leaking GitHub Actions secrets
Disclosed April 15, 2026, Comment and Control turns ordinary PR titles, issue bodies and HTML comments into credential-exfiltration channels in Claude Code, Gemini CLI and GitHub Copilot Agent.
PraisonAI CVE-2026-44338: an unauthenticated agent server, exploited in 3h44
Disclosed May 11, 2026, CVE-2026-44338 ships PraisonAI with authentication hard-disabled in its legacy API server. A CVE-Detector scanner hit the endpoint less than four hours later.
Localhost agent hijack: cross-origin WebSocket attacks on AI coding agents
CVE-2026-44211 (CVSS 9.7), disclosed May 7, 2026, shows how a single visit to a malicious page can hijack an AI coding agent running on a developer's laptop. The attack class is generic — and architectural.
Prompts as shells: when prompt injection becomes RCE in agent frameworks
Two CVEs disclosed in Microsoft Semantic Kernel on May 7, 2026 (CVE-2026-25592, CVE-2026-26030) show how a single injected prompt can pivot from text to remote code execution on the agent's host.