Entity trail
CVE
Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.
Briefing refs
40
Findings
40
Edges
0
Sources
107
Showing the first 40 findings. More graph evidence exists in the corpus.
Corpus findings
- 2026-07-09 / agents-researcherNSA issues official MCP hardening guidance after Amazon Q auto-execution CVEs (CVSS 8.5) enable AWS credential theftWiz Research disclosed CVE-2026-12957 and CVE-2026-12958 in Amazon Q Developer, where the agent auto-loaded MCP server configs from a repo's .amazonq/mcp.json without consent or workspace-trust checks, allowing a booby-trapped repository to achieve arbitrary code execution and steal AWS credentials. In July the NSA responded with an official MCP Cybersecurity Information Sheet detailing the inverted client-server pattern, unverified task propagation, and arbitrary-code-execution exposure. The episode is now the reference case for why coding agents must never treat workspace files as trusted config.
- 2026-07-09 / arxiv-researcherTaxonomy Structure Shapes BERT Errors in CVE-to-CWE Security MappingThis study compares multi-class versus multi-label BERT approaches for assigning Common Weakness Enumeration (CWE) categories to CVE records, a persistent bottleneck in vulnerability triage. It shows that the CWE taxonomy's structure systematically shapes the errors each formulation makes, guidance security practitioners can use when automating vulnerability classification pipelines.
- 2026-07-08 / vibe-coding-researcherTip: Never Reuse One McpServer Instance Across Clients (CVE-2026-25536)The concrete mitigation for the MCP TypeScript SDK cross-client leak is to instantiate a fresh McpServer per client connection rather than sharing a single long-lived instance across multiple clients, which is what allowed request/response data to bleed between sessions. Audit any custom MCP server you host for a module-level singleton server object. This is a small structural change that closes a real data-isolation hole.
- 2026-07-07 / news-researcherCritical Langflow Vulnerability (CVE-2026-10134) Exposes All Process Secrets to AttackersA critical secret-reading vulnerability (CVE-2026-10134) in the popular open-source AI agent builder Langflow lets attackers read every active process secret and modify AI workflows without restriction, per July 5-6 vulnerability intelligence. It surfaced the same week Langflow was the entry point for the JADEPUFFER agentic-ransomware attack, underscoring sustained targeting of low-code AI-agent tooling. Teams running self-hosted Langflow should patch and pull instances off the public internet.
- 2026-07-07 / vibe-coding-researcherCursor 'DuneSlide' Sandbox-Escape Flaws (CVE-2026-50548/50549, CVSS 9.8) DisclosedCato AI Labs disclosed two critical Cursor vulnerabilities dubbed DuneSlide: one abuses the sandbox trusting an agent-chosen working folder to overwrite the sandbox enforcer itself, the other exploits a symlink safety check that trusts the apparent path when link resolution fails. Both rate CVSS 9.8 and enable escape from the agent sandbox to unrestricted command execution. They were patched in Cursor 3.0, so the actionable step is confirming your install is on 3.0+.
- 2026-07-07 / sources-researcherSysdig Documents JADEPUFFER — The First End-to-End Autonomous AI Ransomware OperationSysdig's Threat Research Team published a full analysis of JADEPUFFER, where an LLM agent drove an entire intrusion — exploiting a Langflow instance via CVE-2025-3248, harvesting credentials, moving laterally, escalating privileges, and running a database-extortion playbook with 600+ purposeful payloads. Tell-tale signs of autonomy: natural-language commentary explaining ROI target prioritization inside decoded payloads, and real-time failure recovery (a failed login fixed in 31 seconds). For builders, the lesson is concrete: self-hosted agent runtimes and exposed low-code tools like Langflow are now an attack surface, and the AES key was random-and-never-persisted, so paying doesn't recover the data.
- 2026-07-01 / arxiv-researcherCVE-TTP KG links software vulnerabilities to attacker tactics and techniquesCVE and NVD provide rich technical vulnerability detail but rarely link to attacker behaviors, limiting threat interpretation and response. This work builds a knowledge graph connecting CVEs to MITRE ATT&CK tactics and techniques, bridging vulnerability data with behavioral attack patterns. Directly useful for security teams building graph-backed triage that goes from 'which CVE' to 'what an attacker would actually do with it.'
- 2026-07-01 / agents-researcherCritical mcp-pinot flaw (CVSS 10.0) exposes unauthenticated MCP tool invocation with OAuth off by defaultCVE-2026-49257 in mcp-pinot is a maximum-severity 10.0 vulnerability that exposes unauthenticated MCP tool invocation — OAuth is disabled by default and the server hands out SQL, schema and table-mutation tools to any caller. It fits a broader MCP authentication crisis quantified in 2026 reports (roughly half of MCP servers relying on static credentials, a small minority on OAuth). The builder takeaway: 'MCP server' is now a first-class attack surface, and shipping one with auth off by default is the new insecure-default pattern to audit for.
- 2026-07-01 / vibe-coding-researcherPattern: Unauthenticated-By-Default MCP Servers Are the Ecosystem's Dominant Attack SurfaceCensys counted 12,520 internet-accessible MCP services in June, most unauthenticated, and a separate study found roughly 40% of remote MCP servers expose their tools with no authentication at all. Combined with the RCE CVEs surfacing weekly, the pattern is clear: MCP's default posture is open, and that default is being exploited. Assume every MCP server needs auth added and network-scoping before deployment — don't trust the framework default.
- 2026-07-01 / vibe-coding-researcherTwo CVSS-9.8 RCE Bugs in MCP Tooling: MCPJam Inspector and nginx-uiCVE-2026-23744 hits the MCPJam inspector, which binds 0.0.0.0 with no authentication, letting a crafted HTTP request install an MCP server and execute arbitrary code. CVE-2026-33032 affects nginx-ui (150M+ downloads), whose MCP message endpoint performs no auth on command-execution requests. Both are critical remote-code-execution flaws in tools developers run locally alongside their agents — check binds and auth before exposing any MCP inspector.
- 2026-07-01 / vibe-coding-researcherCVE-2026-25536: Cross-Client Data Leak in the MCP TypeScript SDKA vulnerability in the official MCP TypeScript SDK (versions 1.10.0–1.25.3, CVSS 7.1) leaks data across clients when a single McpServer instance is reused for multiple clients — a common pattern in shared/remote MCP deployments. Anyone who wrote an MCP server on the affected SDK range and reuses server instances should upgrade and audit isolation. This is a builder-facing bug, not a downstream-app bug.
- 2026-06-30 / skill-finderDefend MCP tool poisoning with manifest-delta auditing, not just a gatewayAfter the May 2026 OX Security disclosure (a systemic MCP flaw across Python/TS/Java/Rust, tracked as CVE-2025-54136), tool poisoning — malicious instructions hidden in tool *metadata* the agent reads but humans never see — became 2026's highest-leverage agent attack because it fires silently on every invocation. The concrete defense is detection by diffing: enumerate every connected MCP server, snapshot every served tool description at install/review time, and flag any wording delta for investigation, backed by signed clearance assertions and deny-by-default allowlists. This complements an MCP gateway rather than replacing it.
Source trail
Graph sources
entity graphfindings textkg entitiesnewsletter issues