Agentic / MCP
203 entries
Every Agentic / MCP entry VulnWatch has indexed, sorted by publication date.
Subscribe to this tag's RSS feed
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
## Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) ### Summary `appium-mcp`'s `createLocatorGeneratorUI` function interpolates attacker-controlled element attributes — `text...
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
## DNS-resolved Private Hostname SSRF in `web_url_read` ### Summary The `web_url_read` MCP tool in `mcp-searxng` is vulnerable to Server-Side Request Forgery (SSRF) via DNS rebinding bypass. The `as...
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`
## Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read` ### Summary The `web_url_read` MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the...
Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions
## Summary `network-ai`'s `ApprovalInbox` (`lib/approval-inbox.ts`) is a shipped, exported, documented feature — *"a web-accessible approval queue with REST API … and SSE streaming"* (SECURITY.md). I...
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without...
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
Kozou compiles a PostgreSQL schema into an Admin UI, a REST API, and an MCP server. Several hardening gaps in the bundled HTTP surfaces and the scaffolded dev stack are fixed in **1.8.1**. ## Issues...
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page...
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
## Summary `agentic-flow` versions ` /tmp/rce.txt; echo \"" } ``` produces, after interpolation: ``` npx --yes agentic-flow --agent "coder" --task "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo...
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
## Advisory / Disclosure # Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives **Target:** Jovancoding/Network-AI (npm `network-ai`), **latest v5.7.1** **S...
Every AI Agent Is an Identity. Most Organizations Don't Treat Them That Way
AI agents can access data, trigger workflows, deploy code, and interact with critical business systems, often with little oversight. Token Security breaks down why AI agents are becoming a new identit...
From Assistive to Agentic: The AI Shift That's Redefining Threat Management
Introduction The average enterprise security team has 40 or more security tools, giving a lot of visibility into internal telemetry and asset data. But often, these tools are working in siloes, gener...
Cisco to Acquire WideField Security to Boost Splunk’s Agentic SOC
WideField will accelerate Agentic SOC capabilities by expanding the lens on threat investigation to include identity, credentials, sessions, and blast radius. The post Cisco to Acquire WideField Secur...
CVE-2026-56075: PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode appro
PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approval_mode to auto, overriding administrator configuration from PRAISON_APPROVAL_M...
CVE-2026-49257: mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 w...
[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An...
[Eclipse Theia] Data Exfiltration via Markdown Image Rendering in AI Chat
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt inj...
[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacke...
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)
## Summary Two inbound-mail handlers act on a privileged effect without verifying that the sender is the operator, while a sibling handler in the same repo does. The higher-impact one: any external em...
AgenticMail: Cross-agent task authorization bypass in AgenticMail API
## Summary A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to `GET /api/agenticmail/tasks/pending?assignee=`. T...
CVE-2026-46580: In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were auto
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An...
CVE-2026-44688: In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacke...
CVE-2026-22551: In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP r
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt inj...
Orphaned AI Agents: How to Find Hidden Access Risks Inside Your Network
If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it? For most enterprises, the answer is a sim...
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation
## Summary The `multiedit` tool in `src/praisonai/praisonai/tools/multiedit.py` allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected...
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
## Summary The published npm package `praisonai` exports a TypeScript `MCPServer` that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with: ```ts await server.start({ port:...