◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-29

Agentjacking — MCP Sentry Indirect Prompt Injection Achieves Arbitrary Code Execution in AI Coding Agents (85% Success Rate, 2,388 Orgs Exposed)

VulnerabilityHigh impactGlobal
What happened
Tenet Security disclosed on June 12–23, 2026 a novel attack class called 'Agentjacking': an attacker submits a crafted fake error event to a target's public Sentry DSN — no authentication beyond the DSN is required — embedding shell commands disguised as resolution guidance inside the error payload's markdown. When a developer asks their AI coding agent (Claude Code, Cursor, Codex) to 'fix Sentry issues,' the agent reads the malicious event via the Sentry MCP server, treats attacker-injected instructions as authoritative guidance, and executes the command with the developer's full privileges. The attack bypasses EDR, firewalls, VPNs, and IAM entirely because every action is individually authorized. In controlled tests Tenet achieved an 85% success rate across all three agents; they identified 2,388 exposed organizations, including Fortune 100 firms. Cloud Security Alliance published a formal research note within days; the NSA had pre-warned about this class in May 2026 MCP security guidance.
Why it matters
This is a structurally novel, effectively un-patchable indirect prompt injection class that converts any publicly accessible MCP data source whose content is not cryptographically authenticated into an arbitrary code execution vector. All AI coding agents that consume MCP telemetry are generically affected — not a single vendor, not a single CVE — meaning the blast radius is every organization that uses Claude Code, Cursor, or Codex with Sentry (or analogous observability) MCP integrations. Credentials exfiltrated include AWS keys, GitHub tokens, git secrets, and private repository URLs.
Attack vector
Attacker POSTs a crafted Sentry error event containing injected shell instructions to the target's public DSN; agent fetches the event via MCP on next 'fix errors' task and executes the embedded command with developer-level privileges
Affected systems
Claude Code (all versions with Sentry MCP), Cursor (all versions with Sentry MCP), OpenAI Codex (all versions with Sentry MCP); any AI coding agent consuming unauthenticated MCP data sources
Mitigation
Disable auto-execution in coding agents; require human approval for all tool-invoked commands; treat all MCP-sourced data as untrusted input; deploy Tenet Security's open-source hardening config 'agent-jackstop' (https://github.com/tenet-security/agent-jackstop). Vendor advisory: https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
Sources
Tenet Security — Agentjacking: Coding Agents with Fake Sentry Errorsdbugs / PT Security — New Agentjacking Attack Targeting AI Agents (2026-06-23)Secure AI Atlas — MCP Security: When Protocol Becomes Attack Vector (2026-06-22)Swarmnetics — Agentjacking Attack Exposes Critical Trust Flaw in AI Coding Agents (2026-06-23)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →