Lyrie
Streams
CVE Deep DivesActive ExploitationResearchBreachesLyrie OriginalsAI Threats
SearchMethodology
Get Lyrie →
AI-Security
0 sources verified·11 min read
By Lyrie Research Division·5/11/2026

TL;DR

In a span of roughly six weeks, confirmed CVEs and disclosed vulnerabilities hit nearly every major AI agent framework on the market simultaneously: Google's Antigravity, Claude Code, Microsoft's Agent Governance Toolkit, Azure's SRE Agent, CrewAI, and the Anthropic MCP SDK. The common thread isn't a shared codebase. It's a shared design assumption — that the AI agent layer is logically separate from the operating system layer, and that prompt-level controls are a meaningful security boundary. That assumption is dead. The agentic framework layer must now be treated as critical infrastructure with the same scrutiny applied to hypervisors and kernel modules.

Background: The Year Agents Got Root

The dominant narrative of 2025 was that AI coding agents were transformative productivity tools with uncertain security implications. The dominant narrative of 2026, just five months in, is simpler: they are attack surface.

When an AI agent is granted file read/write permissions, shell execution, and network access — the baseline capability set of any useful coding agent — the security question is no longer "can this model be jailbroken?" The question is "what happens when the model receives a malicious instruction from a document it was told to read?" The answer, demonstrated repeatedly across different vendors, different architectures, and different programming languages in Q1-Q2 2026, is: arbitrary code execution on the host.

This is not a theoretical concern. These are patched or actively patching CVEs, some recognized under Google's Vulnerability Reward Program, some filed with CERT/CC, some appearing on CISA's Known Exploited Vulnerabilities list. The attack class has graduated from research curiosity to production threat.

Technical Analysis: The Cascade

1. Google Antigravity — Sandbox Escape via Native Tool Abuse (Pillar Security, Jan–Apr 2026)

The cleanest illustration of the new threat model came from Pillar Security's disclosure of a critical flaw in Google's Antigravity agentic IDE. The vulnerability lives not in the model, not in the prompt handler, but in a native tool: find_by_name, which wraps the fd file search utility.

Root cause: The Pattern parameter was passed directly to fd without input validation or argument termination (--). This means any value starting with - is interpreted as a flag by fd, not a search string. The critical flag is -X (exec-batch), which causes fd to execute a specified binary against every matched file.

Attack chain:

1. Attacker delivers a prompt injection via any ingested content (a source file pulled from a public repo, a README, a docstring)

2. Injection instructs the agent to create a file in the workspace (an explicitly permitted action) containing the attacker's payload

3. Injection then calls find_by_name with Pattern: "-Xsh" — causing fd to pass matched .orange (or any) files to sh for execution

4. Result: arbitrary shell execution on the host machine

The critical detail: This bypasses Antigravity's Secure Mode, the product's strictest security configuration. Secure Mode was designed to sandbox command operations, restrict network access, and prevent out-of-workspace writes. But find_by_name is classified as a native tool invocation, not a shell command — so it fires before Secure Mode's restrictions are evaluated. The security boundary never sees the call.

Pillar Security confirmed this with a PoC that launches Calculator from within Secure Mode with Auto Execution disabled. Google patched the issue; both the direct and indirect prompt injection variants were confirmed exploitable.

CVE status: Recognized under Google AI VRP; full CVE assignment pending at time of research publication.

2. Claude Code — Shell Deny Rules Silently Break at 50 Subcommands (Adversa AI, April 2026)

Following the leak of Claude Code's ~512,000-line source tree, Adversa AI researchers discovered a critical behavioral flaw: shell command deny rules silently stop enforcing after 50 subcommands have been executed in a session. The deny list — the mechanism by which operators restrict what commands an agent can run — degrades gracefully to no enforcement as subcommand depth accumulates.

Attack implication: An attacker who can keep an agent session alive through legitimate-seeming work can exhaust the subcommand counter and then issue previously blocked commands without any deny-rule evaluation. In agentic workflows where agents run for hours across large codebases, 50 subcommands is well within normal operational territory.

Compounding factor: The same source review identified context poisoning via compaction. When Claude Code compacts its context (a memory optimization for long sessions), attacker-controlled content can influence the compacted summary, potentially carrying malicious instructions forward across context windows.

Severity assessment: High. This is not a model behavior issue; it is a deterministic bug in the enforcement engine. An attacker with control over any content the agent processes can time exploitation to the post-50 window.

3. MemoryTrap — Cross-Session, Cross-User Memory Poisoning (April 2026)

Cisco researcher Idan Habler disclosed the MemoryTrap vulnerability class in Claude Code's memory system. The flaw allows poisoned memory entries created in one session to survive compaction, persist across sessions, and under multi-user or shared-context configurations, infect instructions available to other users' sessions.

Attack scenario: A red teamer on a shared development platform injects a memory entry instructing the agent to exfiltrate API keys to an external endpoint on any subsequent credential-handling task. When a different user's session loads shared project context, the poisoned memory entry is loaded alongside it. The instruction executes on behalf of the second user with no indication to either party.

Why this matters at scale: Enterprise deployments of coding agents frequently involve shared project contexts, common tool configurations, and centralized memory stores for team-wide state. MemoryTrap turns shared agent memory into a lateral movement vector.

4. Microsoft Agent Governance Toolkit — Authentication Bypass (April 2026)

Microsoft shipped its Agent Governance Toolkit with what researchers characterized as authentication primitives containing zero production callers. The governance checks — designed to enforce agent identity, delegation scope, and access boundaries — can be bypassed via caller-controlled input because the enforcement path is never invoked by any actual component in the default configuration.

CVE reference: Disclosed via FlyingPenguin research, tracked internally. CVSS not yet published.

Impact: An agent operating under a restricted identity token can silently escalate to broader access by directly invoking the underlying APIs, bypassing the governance wrapper entirely. In environments deploying Microsoft's agentic stack for enterprise automation (SharePoint, Azure DevOps, M365), this represents a full trust escalation path.

5. Azure SRE Agent — Unauthenticated WebSocket Exposes Live Command Streams (CVE-2026-32173, CVSS 8.6)

The Azure SRE (Site Reliability Engineering) Agent, designed to automate cloud infrastructure operations, shipped with an unauthenticated WebSocket endpoint that exposed live command execution streams. Any Entra ID account holder — including external guest accounts — could subscribe to the stream, observe in real-time what commands the agent was executing on production infrastructure, and in some configurations interact with the stream.

CVSS: 8.6 (High)

CWE: CWE-306 (Missing Authentication for Critical Function)

Affected: Azure SRE Agent deployments before the April 2026 patch

Attack value: Even purely passive access to a live command stream of an SRE agent operating on production cloud infrastructure provides significant intelligence for follow-on attacks: API endpoints, resource names, credential patterns, operational timing, infrastructure topology.

6. CrewAI — VU#221883, Four CVEs Enabling PI→RCE Chain (CERT/CC, 2026)

CERT/CC published VU#221883 covering four discrete CVEs in CrewAI, one of the most widely deployed open-source multi-agent frameworks. The CVEs individually affect the Code Interpreter tool and default configurations; chained, they enable:

  • Step 1: Prompt injection delivered via a task description or tool output
  • Step 2: SSRF to reach internal network resources or cloud metadata endpoints
  • Step 3: Arbitrary file read from the agent's execution environment
  • Step 4: Code execution via the Code Interpreter, resulting in full RCE on the host

Default config note: The vulnerable Code Interpreter configuration is the default for CrewAI deployments. Organizations running CrewAI workflows without explicit hardening are exposed to the full chain.

7. Anthropic MCP SDK — Systemic Command Injection Across the AI Ecosystem (OX Security, April 2026)

OX Security disclosed a systemic command injection vulnerability in Anthropic's MCP (Model Context Protocol) SDK that propagated into at least seven thousand MCP server implementations representing over 150 million combined downloads. The root cause was a single design flaw in the SDK's parameter handling; downstream projects that consumed the SDK without additional validation inherited the vulnerability.

Scale: This is the AI equivalent of a widely-used cryptographic library shipping a broken primitive. The vulnerability surface is not one product — it is an ecosystem.

THN coverage: The Hacker News framed this correctly: MCP has become supply chain infrastructure for the AI ecosystem. A flaw in the SDK is a flaw in every product built on it, in the same way that a flaw in OpenSSL was a flaw in the internet.

8. "Comment and Control" — Three Agents Exfiltrate Secrets via a Single Prompt Injection (VentureBeat, April 2026)

In perhaps the most operationally significant disclosure, researchers demonstrated that Claude Code, Gemini CLI, and GitHub Copilot could all be induced to exfiltrate secrets to an attacker-controlled endpoint via a single "Comment and Control" prompt injection: malicious instructions embedded in code comments within files the agent was asked to review.

Key finding: None of the three vendors publish injection resistance metrics in their system cards. The attack surface is universal and unquantified. An organization deploying any of the three agents against a codebase containing attacker-controlled files — including open-source dependencies — is exposed.

The Structural Problem: Native Tools Are Not Security Boundaries

The Antigravity disclosure makes explicit something that was implicit in every other case above: the tool execution layer in agentic frameworks operates outside the security perimeter that was designed to contain it.

Secure Mode in Antigravity wasn't broken by a bypass. It was bypassed by the architecture — because native tool calls are not shell commands, and Secure Mode only evaluated shell commands. The security control and the attack path were in orthogonal planes.

This is not an Antigravity-specific problem. Any agentic framework that:

  • Grants file write capabilities
  • Grants command execution capabilities
  • Routes tool invocations outside the security evaluation pipeline

...is structurally vulnerable to the same class of attack. The model is not the boundary. The tool is.

IOCs and Indicators

| Indicator Type | Value | Context |

|---|---|---|

| CVE | CVE-2026-32173 | Azure SRE Agent unauthenticated WebSocket |

| CERT Advisory | VU#221883 | CrewAI 4-CVE PI→RCE chain |

| Behavioral | find_by_name with -X pattern flag | Antigravity exploitation |

| Behavioral | Subcommand depth >50 in Claude Code sessions | Deny-rule bypass window |

| Attack class | Indirect prompt injection via ingested files | Cross-vendor |

| Attack class | Memory poisoning via compacted context entries | Claude Code |

| SDK affected | Anthropic MCP SDK (pre-patch) | 150M+ downloads impacted |

Lyrie Take

What we're watching is the crystallization of a threat class that was theorized for two years and is now confirmed in production. The attack surface isn't "AI" in the abstract — it's the specific set of affordances that make AI agents useful: filesystem access, code execution, network calls, and memory persistence.

Every one of those affordances, implemented naively, is an attack primitive. The industry has been shipping them naively. The CVE cascade of Q1-Q2 2026 is the bill coming due.

The vendor response pattern is also instructive. Patches were shipped. But no vendor has published injection resistance metrics, attack surface maps, or formal threat models for their agent runtime. The patches address symptoms. The structural question — "can our tool invocation layer be weaponized by injected instructions?" — remains unasked in most product security programs.

For Lyrie, this validates the core thesis: autonomous systems require a defense layer that treats the model's outputs as untrusted inputs to the security enforcement stack, not as trusted instructions from a controlled process.

Defender Playbook

Immediate (0–7 days):

1. Patch all agentic frameworks. Antigravity, Claude Code, Azure SRE Agent, CrewAI — verify you're on post-disclosure versions. Check CVE-2026-32173 specifically if running Azure SRE Agent.

2. Audit native tool parameter handling. For any in-house or third-party agent tools that wrap CLI utilities, verify that user/agent-controlled input is never interpolated into command arguments without -- termination and strict validation.

3. Disable Code Interpreter in CrewAI unless explicitly required, or restrict to a fully isolated execution environment with no network access.

4. Rotate credentials on any systems accessed by AI agents in the last 30 days. MemoryTrap and Comment and Control may have exposed values in sessions you can't reconstruct.

Short-term (7–30 days):

5. Instrument subcommand depth in Claude Code deployments. Alert at >40 subcommands and enforce session rotation. This is a config/wrapper change, not a vendor patch.

6. Treat all MCP server dependencies as supply chain. Run OX Security's advisory against your MCP server inventory and update any component consuming the pre-patch Anthropic MCP SDK.

7. Implement content-provenance gates for agent ingestion. Any file an agent is asked to read or execute should have a provenance check (author, repo, signing) before entering the agent context. Unsigned/unreviewed content should be quarantined or sandboxed.

8. Audit shared memory stores. In multi-user or multi-session agent deployments, treat agent memory as a shared mutable surface that requires the same access controls as a shared database.

Architectural (30+ days):

9. Adopt zero-trust for agent tool invocations. Tool calls should not be implicitly trusted because they originate from the model. Implement a policy enforcement layer between the model's tool invocation output and the tool's actual execution — log, evaluate, and potentially block each call.

10. Demand injection resistance metrics from vendors. If your agent vendor cannot tell you how they measure prompt injection resistance, what their red-team findings are, and what the expected failure rate is, you do not have enough information to assess the risk.

11. Model-level isolation is not enough. Sandbox the model's execution context. Treat every model output as potentially adversarial-influenced. Build your containment strategy around what the model can do, not what it should do.

Sources

1. Pillar Security — "Prompt Injection Leads to RCE and Sandbox Escape in Antigravity" (2026-04-21): https://www.pillar.security/blog/prompt-injection-leads-to-rce-and-sandbox-escape-in-antigravity

2. CyberScoop — "Vuln in Google's Antigravity AI agent manager could escape sandbox, give attackers RCE": https://cyberscoop.com/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution/

3. Dark Reading — "Google Fixes Critical RCE Flaw in AI-Based 'Antigravity' Tool": https://www.darkreading.com/vulnerabilities-threats/google-fixes-critical-rce-flaw-ai-based-antigravity-tool

4. Adversa AI — "Top Agentic AI Security Resources May 2026" (compiled CVE roundup): https://adversa.ai/blog/top-agentic-ai-security-resources-may-2026/

5. CSO Online — "Azure SRE Agent flaw let outsiders silently eavesdrop on enterprise cloud operations" (CVE-2026-32173): https://www.csoonline.com/article/4161389/azure-sre-agent-flaw-let-outsiders-silently-eavesdrop-on-enterprise-cloud-operations.html

6. CERT/CC — VU#221883 (CrewAI multiple CVEs): https://kb.cert.org/vuls/id/221883

7. OX Security — "MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem": https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

8. VentureBeat — "Three AI coding agents leaked secrets through a single prompt injection": https://venturebeat.com/security/ai-agent-runtime-security-system-card-audit-comment-and-control-2026

9. Straiker AI — "Claude Code Source Leak: With Great Agency Comes Great Responsibility": https://www.straiker.ai/blog/claude-code-source-leak-with-great-agency-comes-great-responsibility

10. Microsoft Security Blog — "When Prompts Become Shells: RCE Vulnerabilities in AI Agent Frameworks" (2026-05-07): https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/

Lyrie.ai Cyber Research Division — Senior Analyst Desk

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

#AI-agents#prompt-injection#RCE#sandbox-escape#CVE#CrewAI#Antigravity#Claude-Code

Related Articles

originals
CloudZ RAT + Pheno: The Phone Link SMS-OTP Harvest Campaign Bypassing Enterprise MFA
5 min read · 0 sources
originals
UAT-8302: China's 'Shared Arsenal' APT — One Group, Seven Malware Families, Six Allied Clusters
11 min read · 0 sources
originals
When Prompts Become Shells: CVE-2026-25592 & CVE-2026-26030 and the New Attack Surface Every AI Team Is Missing
10 min read · 0 sources