DEV Community

Cover image for We called AVE "the CVE for AI agents." A Reddit commenter told us that was wrong. They were right
Saray Chak for Bawbel

Posted on

We called AVE "the CVE for AI agents." A Reddit commenter told us that was wrong. They were right

A few weeks ago someone left this comment on my post about AVE:

"It looks to me like you're listing common (agentic) weaknesses (CWEs) or 'Threat Patterns' and not 'vulnerabilities'. Those are intended to be specific to concrete artifacts."

ApfelbaumFlo was correct. I want to explain exactly why, because it matters for how you use AVE.

CVE vs CWE — what the distinction actually means

CVE (Common Vulnerabilities and Exposures) identifies a specific flaw in a specific product at a specific version. CVE-2024-0519 is a V8 engine flaw in Chrome versions below 120.0.6099.129. It has an affected product. It has a version range. There is a patch. You can check whether you are running the vulnerable version.

CWE (Common Weakness Enumeration) identifies a class of weakness that can appear in any codebase. CWE-79 is Cross-Site Scripting. It is not tied to one product. Thousands of CVEs reference it. A scanner that detects XSS detects the CWE class, and each individual instance found in a specific product becomes a CVE.

An AVE record describes a behavioral class — what a dangerous agentic component does, not what product version it appears in. AVE-2026-00002 (Tool Poisoning via Description Manipulation) describes a behavior: a tool description contains instructions targeting the agent rather than describing what the tool does. That behavior appears in infinitely many skill files and MCP servers. There is no version range. There is no patch. The threat is behavioral.

That is CWE-shaped, not CVE-shaped. ApfelbaumFlo was right.

Why this matters practically

The CVE framing created a wrong expectation: if AVE is CVE-shaped, where are the per-product disclosures? Why does AVE-2026-00002 not name a specific MCP server? Why is there no CPE?

The CWE framing creates a correct expectation: AVE records are the classification layer. A scanner detects an instance of AVE-2026-00002 in your skill file the same way a SAST tool detects an instance of CWE-79 in your web app. The record defines the class. The scanner finding is the instance.

This also explains why AVE has 51 records and is unlikely to grow to thousands. CWE has approximately 900 entries covering decades of software weakness research. AVE is building the equivalent for agentic AI — a much newer, narrower domain. 51 to 65 records is the right target, not 5,000.

What MITRE has, and what it is missing

MITRE's CWE catalog has CWE-1446: "Weaknesses That are Specific to AI/ML Technology." It currently contains four entries:

  • CWE-1426: Improper Validation of Generative AI Output
  • CWE-1427: Improper Neutralization of Input Used for LLM Prompting
  • CWE-1434: Insecure Setting of Generative AI/ML Model Inference Parameters
  • CWE-1039: Inadequate Detection of Adversarial Input Perturbations

These are model-level weaknesses. They describe what goes wrong inside the LLM — output quality, prompt handling, parameter configuration.

MITRE's own documentation on CWE-1446 explicitly says: "As of CWE 4.20, it is still difficult to distinguish common AI/ML related attacks from the underlying weaknesses. The CWE AI Working Group has had many discussions about this general topic... This category is likely to be updated frequently in future versions. See Research Gaps."

The agentic execution layer — tool descriptions, MCP server manifests, skill files, agent delegation chains, OAuth discovery documents, toolchain registration — has zero coverage in CWE-1446. That is the gap AVE's 51 records address.

What changed in our framing

We updated ave.bawbel.io and the bawbel/ave repo to use what we call "own-terms framing." The new headline:

"The behavioral classification standard for agentic AI components."

No borrowed brand. No CVE analogy. AVE describes what it is: a classification standard, behavioral in nature, for the agentic AI attack surface.

The CWE comparison is still useful as an explanation — "AVE plays a similar role for agentic AI to what CWE plays for traditional software" — but it is an explanation, not an identity.

What this means if you run a scanner

If you are building or maintaining a scanner that detects agentic AI threats, AVE is designed to be the shared vocabulary layer. Adding ave_id to your finding output is a single JSON field. The implementer guide covers three consumption patterns:

  • Runtime API: GET https://api.piranha.bawbel.io/ave/{ave_id} returns the full record at scan time
  • Bundled offline: download ave-records-v1.1.0.json and bundle it for air-gapped environments
  • ID-only: emit just the ave_id field and let the consuming SIEM resolve it downstream

Full guide: https://github.com/bawbel/ave/blob/main/docs/specs/ave-implementer-guide.md

What is next

We are reaching out to scanner maintainers with crosswalk packages — a pre-built mapping from your rule IDs to AVE IDs — to reduce the integration cost to near zero.

We are also engaging with the MITRE CWE AI Working Group and the OWASP AST10 project as the right institutional path for a behavioral classification standard.

If you are building in this space and want to discuss the crosswalk for your tool, open an issue at https://github.com/bawbel/ave or email bawbel.io@gmail.com.

The registry: https://ave.bawbel.io/registry.html
The GitHub repo: https://github.com/bawbel/ave
The threat intel API: https://api.piranha.bawbel.io

Top comments (0)