Across May 2026, security researchers disclosed a cluster of vulnerabilities in AI coding agents that share a single theme: the attack surface is the agent’s configuration and skill supply chain, not its model. The summary below follows reporting from DarkReading, eSecurity Planet, and Adversa AI.
The disclosures
According to that reporting:
- Four CVEs in CrewAI chain prompt injection into remote code execution, SSRF, and arbitrary file reads, affecting the Code Interpreter and the default configuration.
- CVE-2026-32173 (CVSS 8.6) in the Azure SRE Agent exposed live command streams through an unauthenticated WebSocket endpoint reachable by any Entra ID account holder.
- A command-injection flaw in Google Antigravity’s
find_by_nametool allowed remote code execution and sandbox escape. - NVIDIA’s AI Red Team executed a full attack chain against OpenAI Codex using a malicious
AGENTS.mdintroduced through a supply-chain compromise. - The ClawHavoc campaign accounted for 1,184 confirmed malicious skills on ClawHub; 492 MCP servers were found with no client authentication or traffic encryption.
The pattern
None of these are model jailbreaks. They are ordinary software supply-chain failures wearing an agent’s clothes: an unauthenticated endpoint, an injectable tool parameter, a poisoned config file, a registry with no provenance. The mitigations the same reports recommend are correspondingly unglamorous — pin dependencies, ship SBOMs, require authentication and encryption on MCP servers, treat agent config as code.
What ties the list together, in the reporting’s own framing, is provenance: in each case the agent trusted an input — a config file, a skill, a tool parameter, a server — that no one had verified. None of the fixes require new security research; they require treating the agent’s supply chain with the scrutiny already standard for application dependencies.
The argument that this was predictable, and what it means for anyone running portable skills, is in your agent’s config is the attack surface.
