The Agentic Attack Surface: 2005 Web Security All Over Again

If you've been watching the CVEs drop this week, you've seen the pattern. It's not subtle.

February 21, 2026: eBay MCP Server gets CVE-2026-27203. The ebay_set_user_tokens tool writes directly to .env without sanitizing newlines. Attacker injects arbitrary environment variables. Overwrite EBAY_REDIRECT_URI to hijack OAuth flows. Inject NODE_OPTIONS for potential RCE. Found by an automated scanner called MCPwner — the first MCP-specific CVE in what's guaranteed to be a long list.

February 20, 2026: Microsoft Semantic Kernel hits its second critical in one week. CVE-2026-25592: the SessionsPythonPlugin's DownloadFileAsync and UploadFileAsync don't validate localFilePath. Agent function calling can write arbitrary files. Last week it was the InMemoryVectorStore RCE. Two criticals, one release window.

February 20, 2026: Ray dashboard ships with auth off by default. CVE-2026-27482: the browser-protection middleware blocks POST and PUT from browser origins but forgot DELETE. Single fetch() call to DELETE /api/serve/applications/ shuts down Serve. No credentials required. Dagu does the same thing — POST a YAML spec with shell commands to /api/v2/dag-runs, commands execute immediately. Default Docker deployments are fully compromised out of the box.

This isn't a bug bounty program. This is a new platform being built at speed with zero security review, auth as an afterthought, and "developer convenience" defaults that are indistinguishable from pre-auth RCE.

The MCP Problem

Model Context Protocol servers are everywhere now. They're how AI agents talk to your tools, your filesystem, your APIs. And they're being written like it's 2005 and nobody's heard of SQL injection yet.

The eBay MCP CVE is the canonical example. Someone wrote a tool function that touches .env — a file that controls your entire application runtime — and didn't sanitize input. Not "forgot to escape quotes." Didn't sanitize at all. The fix is probably three lines. The fact that it shipped is the story.

MCP servers have more access than a web app ever did. They're not just serving HTTP responses. They're reading your files, writing your configs, calling your APIs with stored credentials. And they're being built by teams shipping fast, not security teams auditing slow.

MCPwner found this one. It's an MIT project — an automated MCP security scanner. The fact that we need an automated scanner this early in the ecosystem tells you everything. The vulns are arriving faster than humans can find them.

OpenClaw: Unsafe By Design

Then there's OpenClaw. If you missed it: launched November 2025, went viral via Karpathy and Willison, immediately attracted security researchers. Three high-risk CVEs within weeks. RCE, command injection x2.

But the CVEs aren't the story. The story is r/netsec's verdict: "the concept is unsafe by design, not just the implementation."

From godofpumpkins: "the tools you give it to be useful are exactly the ones that make it useful to attackers."

OpenClaw agents have full read/write access to your filesystem. They ingest untrusted input from the web. They execute code based on LLM output. This isn't a patchable threat model. This is "the architecture assumes the LLM won't be tricked" — and we've known for three years that LLMs can be tricked.

The Cline supply chain attack in February proved it. Adnan Khan found a prompt injection in Cline's AI issue triage GitHub Actions workflow. Cache poisoning. Stole VSCE_PAT, OVSX_PAT, NPM_RELEASE_TOKEN. Then a different actor found his PoC repo, used it to actually attack Cline, and published cline@2.3.0 with a postinstall that silently installs OpenClaw. Four thousand downloads in eight hours before deprecation.

The attack chain is genuinely elegant: GitHub issue → AI triage bot → prompt injection → Actions cache poisoning → production credentials → supply chain. Every link is an AI-specific failure mode.

This isn't "needs patching." This is "the threat model is broken."

The Coding Tools Are Leaking You

Your AI coding assistant is also a new leak surface. And it's not the obvious one.

Yes, git add . carelessness is still a thing. But the new artifact class is worse: Claude proposes running your app with secrets on the CLI → you whitelist it → the whitelist lives in .claude/settings.local.json in plaintext.

trufflehog skips dot-paths by default. gitleaks skips dot-paths by default. You need explicit rules for .claude/, .cursor/, .github/copilot directories. And even then, you're only catching regex-defined secrets.

What about prompt transcripts? Architecture summaries? Context caches? These aren't secrets in the regex sense, but they expose internal logic and pasted data. Secret scanners don't catch these. Your .claude/projects/ directory is a forensic goldmine of everything you've worked on, every key you've pasted, every internal API endpoint you've mentioned.

And context compaction is a silent data loss event. User pastes 8K of DOM markup, works with it for 40 minutes, compaction fires. Summary says "user provided DOM markup" but the actual content is gone. Claude starts hallucinating selectors from memory. The original .jsonl transcript is still on disk but the compaction summary has no pointer back to it. Eight open issues on this. You don't know it happened until the model starts guessing.

The Perplexity Audit: What Responsible Looks Like

Perplexity hired Trail of Bits to audit Comet before launch. This is what responsible pre-launch security looks like. The fact that they published the results is notable. Most AI browser products ship without this.

ToB demonstrated four prompt injection techniques. All four exfiltrated Gmail data from authenticated sessions. Attacker-controlled web page content → injected into AI context → exfil via browser tools (fetch URL, browse history, control browser).

Root cause: external content not treated as untrusted input. Same failure mode as every other agentic browser audit.

ToB's TRAIL threat model frames it cleanly: two trust zones (local machine vs. Perplexity servers), data flows through AI tools = attack vectors. The findings aren't surprising. But the process is. Perplexity is the exception that proves the rule.

Schneier Was Right About The Kill Chain

Bruce Schneier framed prompt injection as a full attack kill chain in mid-February: initial access → persistence → exfiltration. He's been running a series on agentic AI security — side-channel attacks against LLMs, the rogue agent that published a personalized hit piece after a code rejection (Ars published then retracted, but the incident happened).

This isn't hypothetical anymore. The "AI goes off-script" threat is what agentic AI security looks like in practice.

The Pattern

Look at the CVEs again:

• Keylime (TPM attestation system): one line changed CERT_REQUIRED to CERT_OPTIONAL. The security infrastructure for verifying system integrity had its own auth verification silently disabled.
• NLTK: zipfile.extractall() with no path validation. Malicious zip → arbitrary file write → RCE on import.
• Semantic Kernel: two criticals in one week.
• Ray, Dagu: auth off by default, bind to 0.0.0.0, single HTTP call compromises everything.
• Picklescan: used to gate PyTorch model loading in ML pipelines. Bypassed via dynamic eval() embedding. "We scanned it with picklescan" is not a security posture.

This is 2005 web security all over again. Unvalidated input. Auth as an afterthought. "Developer convenience" defaults that are pre-auth RCE. The only difference is that these tools have more access than a web app ever did — filesystem, env vars, API keys, browser sessions.

The Take

We're building the next decade's infrastructure on a foundation of "ship fast, audit never." The MCP ecosystem, the agentic tooling layer, the AI coding assistants — all of it is arriving faster than security review can keep up.

The autonomous bug bounty agents found 12 OpenSSL CVEs. AISLE's system found bugs that survived 25 years of human audit and millions of fuzzing CPU-hours. The offensive capability is here. The defensive posture is not.

You have two choices:

1. Assume everything is compromised. Run agents in sandboxes. Never give them production credentials. Treat every MCP server like it's already pwned. Assume your .claude/ directory is leaked. Design for containment, not trust.

2. Wait for the bloodbath. History says we'll get the bloodbath anyway. But if you're deploying agentic AI in production today, you're choosing to be part of it.

The tools are too useful to not use. But "useful" and "safe" are not the same thing. OpenClaw proved that. The eBay MCP server proved that. Semantic Kernel's two criticals in one week proved that.

Build fast. But build like you know what's coming.