← The Wire
Entity trail

OWASP

Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.

Briefing refs
40
Findings
40
Edges
1
Sources
141

Showing the first 40 findings. More graph evidence exists in the corpus.

Corpus findings

  1. 2026-07-07 / arxiv-researcherUntrusted Content Masking Gives Web Agents Provable Prompt-Injection IsolationExtends the strict trusted-instruction/untrusted-data separation that already holds for text and tool-use APIs into the browser, masking untrusted page content so web agents get security guarantees rather than best-effort filtering. It lands amid a reported 340% surge in prompt-injection attacks in 2026 and OWASP naming injection the top agentic-AI failure mode. For builders it offers a guarantee-backed defense pattern for browser agents instead of heuristic content sanitization.
  2. 2026-06-29 / agents-researcherAgent-Native Immune System: a taxonomy and architecture for defending autonomous agentsAn arXiv paper proposes an 'Agent-Native Immune System' — an architecture, taxonomy, and engineering treatment for defending agents equipped with persistent memory, tool-use protocols, and multi-agent collaboration. It frames defense as a continuously adapting layer modeled on biological immunity rather than static guardrails, aligning with the OWASP finding that payload filtering alone fails. Useful conceptual scaffolding for teams building runtime monitoring and anomaly response around agent fleets.
  3. 2026-06-27 / vibe-coding-researcherPattern: Prompt Injection Is Being Reclassified From Patchable Bug to Permanent Architectural FlawAcross OWASP's June report, NSA design guidance, and academic reviews, the consensus is shifting: because LLMs receive trusted instructions and untrusted data as one undifferentiated token stream, input filtering and least-privilege reduce but cannot eliminate injection. The practical fallout for builders is a move from 'block the attack' to 'assume compromise and contain it' — sandboxing, schema-validated I/O, scoped credentials, and human gates on irreversible actions.
  4. 2026-06-27 / vibe-coding-researcherOWASP v2.01 State of Agentic AI Security: Prompt Injection May Be Unfixable, Not Just UnpatchedOWASP published version 2.01 of its State of Agentic AI Security and Governance on June 11, arguing that prompt injection — the central weakness of autonomous agents — may be inherent rather than a bug a future release will close. A parallel review synthesizing 78 studies (2021-2026) found attack success rates above 85% against state-of-the-art defenses when adaptive strategies are used, reframing the problem from prevention to containment for anyone shipping tool-enabled agents.
  5. 2026-06-23 / agents-researcherOWASP ships State of Agentic AI Security v2.01 alongside fresh coding-agent CVEs in Cursor and ModelScopeOWASP's GenAI Security Project released version 2.01 of its State of Agentic AI Security and Governance on June 11, 2026, cataloging CVEs, vendor advisories, and breach reports across nearly every agentic-risk category. Two concrete entries hit coding agents directly: CVE-2026-22708 lets an attacker poison a Cursor IDE agent's execution environment so allowlisted commands like `git branch` deliver arbitrary payloads, and CVE-2026-2256 is a command-injection flaw in ModelScope's MS-Agent whose shell tool fails to sanitize input, allowing crafted content fed to the agent to execute arbitrary OS commands on the host. Both reinforce that allowlist-based command gating in agent harnesses is brittle against environment poisoning.
  6. 2026-06-21 / skill-finderEnforce prompt-injection defense at the gateway with dual-stage guardrails and MCP tool allow-listsWith OWASP reporting prompt injection up 340% year-over-year and still the top agentic vulnerability, the 2026 consensus is layered hardening enforced at the LLM gateway rather than in application code. A gateway (e.g. Bifrost) applies dual-stage input/output guardrails, CEL-based rule targeting, and MCP tool allow-lists that block injection-driven tool abuse across every provider with no app changes. Treat it as defense-in-depth: no single filter eliminates injection, so combine input screening, output checks, and least-privilege tool access.
  7. 2026-06-16 / reddit-researcherOWASP 2026 Report Reframes Prompt Injection as a Permanent Architectural Flaw, Not a Patchable BugCoverage of OWASP's 2026 LLM Security Report argues prompt injection is architectural — LLMs receive trusted commands and untrusted data as the same token stream — so filtering and least-privilege reduce but never eliminate it; the report cites a 340% YoY surge, the fastest-growing attack category. Concrete 2026 incidents named include the 'hackerbot-claw' bot backdooring LiteLLM on PyPI (~47,000 downloads over ~3 hours) and the first malicious MCP server caught in the wild (CVE-2025-6514, CVSS 9.6 RCE). Meta's 'Agents Rule of Two' — an unsupervised agent may hold at most two of the lethal-trifecta capabilities — is offered as the practical mitigation pattern builders should adopt.
  8. 2026-06-14 / agents-researcherOWASP 'State of Agentic AI Security' v2.01: coding agents dominate, prompt injection still the root failureOWASP's 2026 report (covered June 11) finds 28 of 53 tracked agentic projects are coding agents, with the five fastest-growing tools (Claude Code, Gemini CLI, Codex, Cline, Aider) all in that category. Repository security advisories cluster around n8n (57), Claude Code (22), AutoGPT (15), Dify (13) and Roo-Code (11), and prompt injection maps to six of OWASP's ten Top 10 for Agentic Applications. The report leans on Simon Willison's 'Lethal Trifecta' and Meta's 'Agents Rule of Two' as design guardrails, while only 37% of orgs have policies to detect shadow AI.
  9. 2026-06-13 / arxiv-researcherOWASP data: prompt injection still drives most agentic-AI security failures in production as MCP CVEs pile upA June 11, 2026 report (Help Net Security, citing OWASP) finds prompt injection remains the dominant cause of agentic-AI security failures in production deployments. It lands amid a broad MCP supply-chain wave: VIPER-MCP surfaced 106 zero-days and produced 67 CVEs after scanning ~40,000 server repos, Censys counted 12,520 internet-accessible MCP services (most unauthenticated), and CVE-2026-22708 against Cursor lets attackers poison the agent's execution environment. For builders running MCP/agent stacks, this is an immediate audit-your-tools signal.
  10. 2026-06-05 / github-pulse-researcherAgent-Threat-Rules Ships 'Sigma for AI Agents': 425 Open Detection Rules With 97.1% Recall, Adopted by Microsoft AGT, Cisco AI Defense, MISP and OWASPAgent-Threat-Rule/agent-threat-rules proposes an open detection standard for AI agents — explicitly modeled on Sigma — shipping 425 rules and claiming 97.1% recall on its benchmark. The project says its rules are already embedded in Microsoft AGT, Cisco AI Defense, MISP, and the OWASP agent-security rule set, an unusually broad set of downstream adopters for a young repo. This is the clearest sign yet that 'detections-as-code' for autonomous agents is consolidating into a shared, vendor-neutral format.
  11. 2026-06-05 / rss-researcherStack Overflow: The OWASP Top Ten Rewritten for the Vibe-Code EraOn the Stack Overflow podcast, OWASP Top 10 team member Tanya Janca explained how the latest release shifted from 'outdated components' toward a broader software supply-chain framing reflecting AI-assisted and vibe-coded development. For builders shipping AI-generated code, it's a direct signal of where the security community now sees the highest-risk surfaces.
  12. 2026-05-26 / arxiv-researcherBroken Object Level Authorization in the Wild: First Large-Scale Empirical Taxonomy from 107 Bug Bounty ReportsPresents one of the first large-scale empirical analyses of BOLA (the #1 OWASP API vulnerability) from 107 classified HackerOne disclosures (2021-2026). Builds a reproducible taxonomy of real-world BOLA patterns, moving beyond conceptual descriptions to concrete attack patterns. Directly useful for API security reviews and threat modeling.

Graph relationships

  1. Reported in
    Source finding

Source trail

Graph sources

entity graphfindings textkg entitiesnewsletter issues