Coinbase AI Agent Prompt Injection, Dolibarr RCE, & WordPress Supply Chain Backdoors
Today's Highlights
This week's top security news features critical vulnerabilities including an AI prompt injection leading to wallet drains on Coinbase AgentKit and an RCE in Dolibarr via a whitelist bypass. We also cover a widespread supply chain attack involving backdoored WordPress plugins.
Coinbase AgentKit Prompt Injection: Wallet Drain, Infinite Approvals, and Agent-Level RCE (r/netsec)
Source: https://reddit.com/r/netsec/comments/1skfumg/coinbase_agentkit_prompt_injection_wallet_drain/
A newly disclosed vulnerability demonstrates a severe prompt injection attack against Coinbase's AgentKit, an AI-powered system. The attack allows for a 'wallet drain,' 'infinite approvals,' and 'agent-level RCE,' indicating a complete compromise of the AI agent's capabilities and its interaction with financial systems. This vulnerability highlights the significant risks associated with integrating AI agents into sensitive applications, particularly those handling financial transactions. The ability to manipulate the agent through crafted prompts to execute arbitrary code or unauthorized transactions underscores the critical need for robust input validation, sandboxing, and strict permission models for AI components.
The findings, validated by Coinbase, include an on-chain Proof-of-Concept (PoC), emphasizing the practical exploitability and severe implications of such AI-specific security flaws. This incident serves as a stark reminder for developers and organizations deploying AI agents to prioritize security from the ground up, implementing stringent controls to prevent malicious instructions from bypassing intended guardrails and impacting real-world assets. Defensive techniques must focus on isolating AI agent environments and meticulously sanitizing all inputs, treating them as untrusted, especially when agents interact with high-privilege operations or external APIs.
Comment: This case highlights the critical need for robust prompt engineering and sandboxing in AI agents, especially when interacting with financial APIs. The RCE and wallet drain demonstrate that prompt injection isn't just a data exfiltration risk but can lead to direct asset compromise.
CVE-2026-22666: Dolibarr 23.0.0 dol_eval() whitelist bypass -> RCE (full write-up + PoC) (r/netsec)
Source: https://reddit.com/r/netsec/comments/1skazzv/cve202622666_dolibarr_2300_dol_eval_whitelist/
CVE-2026-22666 details a critical Remote Code Execution (RCE) vulnerability found in Dolibarr 23.0.0, a popular open-source ERP/CRM software. The root cause lies in a flawed implementation of the dol_eval() function, where a supposed $forbiddenphpstrings blocklist is only enforced in blacklist mode. Crucially, the default whitelist mode, intended to be more secure, completely bypasses this blocklist, allowing malicious PHP dynamic callable syntax to execute arbitrary code. This logic error effectively renders the whitelist mechanism ineffective, transforming a defensive control into a critical weakness.
The disclosure includes a full write-up and Proof-of-Concept (PoC), providing comprehensive details for security researchers and administrators to understand and verify the vulnerability. The ability to achieve RCE through a whitelist bypass underscores the importance of not only implementing security controls but also ensuring their correct and robust enforcement in all operational modes. Developers maintaining applications with eval() or similar dynamic code execution functions must adopt a zero-trust approach to input validation and perform rigorous security testing to prevent such bypasses, which can lead to complete system compromise.
Comment: This Dolibarr CVE is a classic example of a logic bug in input validation, where an intended whitelist mechanism fails due to incorrect enforcement, leading directly to RCE. Developers must scrutinize how security controls like whitelists are actually applied.
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them (Hacker News)
Source: https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
A significant supply chain attack has been uncovered targeting the WordPress ecosystem, where an unknown actor systematically acquired 30 popular WordPress plugins and subsequently embedded malicious backdoors into them. This attack vector leverages trust in existing, legitimate software to distribute malware widely, making detection particularly challenging for website administrators and traditional security tools. The method bypasses typical security reviews that might apply to entirely new or unknown plugins by weaponizing established components.
This incident highlights the pervasive and increasing threat of supply chain compromises, where attackers target upstream software components to reach a broader victim base. For WordPress users, this means that even plugins with a history of good reputation can become compromised after ownership changes. The practical hardening guide here involves extreme vigilance in plugin selection, regular auditing of installed plugins, verifying developer authenticity, and implementing content security policies. Organizations should prioritize solutions for continuous monitoring of plugin integrity and consider a zero-trust approach to third-party code, even within seemingly trusted ecosystems.
Comment: This type of supply chain attack on WordPress plugins is insidious because it leverages trust in established software. It underscores the need for continuous security monitoring of dependencies and a cautious approach to integrating third-party code, even from seemingly legitimate sources.
Top comments (0)