The Agentic Attack Surface: 2005 Web Security All Over Again

Source: Dev.to

The Agentic Attack Surface: 2005 Web Security All Over Again

If you’ve been watching the CVEs drop this week, you’ve seen the pattern. It’s not subtle.

February 21 2024 – eBay MCP Server

• CVE‑2026‑27203 – The ebay_set_user_tokens tool writes directly to .env without sanitising newlines.
• Impact – An attacker can inject arbitrary environment variables:
  • Overwrite EBAY_REDIRECT_URI to hijack OAuth flows.
  • Inject NODE_OPTIONS for potential RCE.
• Discovery – Found by an automated scanner called MCPwner – the first MCP‑specific CVE in what is guaranteed to be a long list.

February 20 2024 – Microsoft Semantic Kernel

• CVE‑2026‑25592 – The SessionsPythonPlugin’s DownloadFileAsync and UploadFileAsync do not validate localFilePath.
• Impact – Agent‑function calls can write arbitrary files (RCE).
• Context – This is the second critical in one week; the first was an InMemoryVectorStore RCE. Two criticals in a single release window.

February 20 2024 – Ray Dashboard & Dagu

Ray Dashboard

• Auth is off by default.
• CVE‑2026‑27482 – The browser‑protection middleware blocks POST and PUT from browser origins but forgets DELETE.
• Exploit – A single fetch() call to DELETE /api/serve/applications/ shuts down Serve. No credentials required.

Dagu

• Same issue: a POST of a YAML spec with shell commands to /api/v2/dag-runs executes immediately.
• Default Docker deployments are fully compromised out of the box.

This isn’t a bug‑bounty program. It’s a new platform being built at speed with zero security review, auth as an afterthought, and “developer‑convenience” defaults that are indistinguishable from pre‑auth RCE.

The MCP Problem

Model‑Context‑Protocol (MCP) servers are everywhere now. They’re how AI agents talk to your tools, filesystem, and APIs – and they’re being written like it’s 2005 and nobody’s heard of SQL injection yet.

• Canonical example: The eBay MCP CVE. A tool function touches .env (the file that controls your entire application runtime) and doesn’t sanitise input at all. The fix is probably three lines; the fact that it shipped is the story.
• Why it matters: MCP servers have more access than a traditional web app. They read files, write configs, call APIs with stored credentials, and are built by teams shipping fast, not security teams auditing slowly.
• MCPwner: An MIT‑project automated MCP security scanner. The need for an automated scanner this early in the ecosystem tells you everything – vulnerabilities are arriving faster than humans can find them.

OpenClaw: Unsafe By Design

• Launch: November 2025, went viral via Andrej Karpathy and Willison.
• Outcome: Three high‑risk CVEs within weeks (RCE, command‑injection ×2).
• Community verdict (r/netsec): “The concept is unsafe by design, not just the implementation.”

From godofpumpkins: “The tools you give it to be useful are exactly the ones that make it useful to attackers.”

Why the architecture is broken

1. Full read/write filesystem access for agents.
2. Ingestion of untrusted web input.
3. Execution of code based on LLM output.

The threat model assumes the LLM won’t be tricked – a premise disproved years ago.

The Cline supply‑chain attack (February 2024)

1. Prompt injection in Cline’s AI issue‑triage GitHub Actions workflow.
2. Cache poisoning → stolen VSCE_PAT, OVSX_PAT, NPM_RELEASE_TOKEN.
3. A different actor reused the PoC repo, attacked Cline, and published cline@2.3.0 with a post‑install script that silently installed OpenClaw.
4. Result: 4 000 downloads in eight hours before deprecation.

Attack chain: GitHub issue → AI triage bot → prompt injection → Actions cache poisoning → production credentials → supply‑chain compromise. Every link is an AI‑specific failure mode.

This isn’t “needs patching.” This is “the threat model is broken.”

The Coding Tools Are Leaking You

Your AI coding assistant creates a new leak surface – and it’s not the obvious one.

• Traditional leak: git add . carelessness.
• New artifact class:
  • Claude proposes running your app with secrets on the CLI → you whitelist it → the whitelist lives in .claude/settings.local.json in plaintext.

Secret‑scanner gaps

You need explicit rules for .claude/, .cursor/, .github/copilot directories, and even then you’re only catching regex‑defined secrets.

Non‑regex secrets

• Prompt transcripts, architecture summaries, context caches – not “secrets” in the regex sense, but they expose internal logic and pasted data.
• .claude/projects/ is a forensic goldmine: every key you pasted, every internal API endpoint you mentioned.

Silent data‑loss via context compaction

• User pastes 8 KB of DOM markup, works with it for 40 minutes, compaction fires.
• Summary says “user provided DOM markup” but the actual content is gone.
• Claude hallucinates selectors from memory; the original .jsonl transcript remains on disk, but the compaction summary has no pointer back to it.

Open issues: At least eight open tickets on this problem. You often don’t know it happened until the model starts guessing.

The Perplexity Audit: What Responsible Looks Like

Perplexity hired Trail of Bits to audit Comet before launch – a model of responsible pre‑launch security. Publishing the results is notable; most AI‑browser products ship without such scrutiny.

• ToB findings: Four prompt‑injection techniques, all exfiltrating Gmail data from authenticated sessions.
• Attack vector: Attacker‑controlled web‑page content → injected into AI context → exfiltration via browser tools (fetch URL, browse history, control‑browse).

Takeaways

1. MCP‑style servers are being built with the same lax security mindset that plagued web apps in 2005.
2. OpenClaw demonstrates that unsafe‑by‑design architectures can’t be fixed with patches alone.
3. AI‑coding assistants leak secrets in ways traditional scanners don’t detect.
4. Responsible security (e.g., Perplexity + Trail of Bits) is still the exception, not the rule.

Bottom line: The agentic attack surface is exploding. Treat AI‑driven tooling with the same rigor you would any high‑risk, privileged‑access system – or be prepared to watch the next wave of CVEs roll in.

Root cause: external content not treated as untrusted input. Same failure mode as every other agentic‑browser audit.

ToB’s TRAIL threat model frames it cleanly: two trust zones (local machine vs. Perplexity servers), data flows through AI tools = attack vectors. The findings aren’t surprising, but the process is. Perplexity is the exception that proves the rule.

Schneier Was Right About The Kill Chain

Bruce Schneier framed prompt injection as a full‑attack kill chain in mid‑February:

1. Initial access →
2. Persistence →
3. Exfiltration

He’s been running a series on agentic AI security—side‑channel attacks against LLMs, the rogue agent that published a personalized hit piece after a code rejection (Ars published then retracted, but the incident happened).

This isn’t hypothetical anymore. The “AI goes off‑script” threat is what agentic AI security looks like in practice.

The Pattern

This is 2005‑style web security all over again: unvalidated input, auth as an afterthought, “developer‑convenience” defaults that are pre‑auth RCE. The only difference is that these tools have more access than a typical web app—filesystem, env vars, API keys, browser sessions.

The Take

We’re building the next decade’s infrastructure on a foundation of “ship fast, audit never.” The MCP ecosystem, the agentic tooling layer, the AI coding assistants—all of it is arriving faster than security review can keep up.

• Autonomous bug‑bounty agents found 12 OpenSSL CVEs.
• AISLE’s system uncovered bugs that survived 25 years of human audit and millions of fuzzing CPU‑hours.

The offensive capability is here. The defensive posture is not.

You have two choices

1. Assume everything is compromised

   • Run agents in sandboxes.
   • Never give them production credentials.
   • Treat every MCP server like it’s already pwned.
   • Assume your .claude/ directory is leaked.
   • Design for containment, not trust.

2. Wait for the bloodbath

   • History says we’ll get the bloodbath anyway.
   • Deploying agentic AI in production today means you’re choosing to be part of it.

The tools are too useful to ignore, but “useful” and “safe” are not the same thing. OpenClaw proved that. The eBay MCP server proved that. Semantic Kernel’s two criticals in one week proved that.

Build fast. But build like you know what’s coming.