Security Vulnerability
AI Agent Failure Mode — 20 Documented Incidents
What is Security Vulnerability?
Security vulnerability failures occur when an AI coding agent introduces exploitable security flaws such as XSS, SQL injection, hardcoded credentials, authentication bypasses, path traversal, or insecure deserialization. These are high-severity incidents with potential for real-world exploitation.
Which AI agent security vulnerabilitys the most?
All Security Vulnerability Incidents
Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0)
Google released Gemini CLI, an open-source terminal AI agent, on June 25, 2026. Two days later, researchers at Tracebit reported that in its default configuration the agent could s
Malicious cloned repository triggered code execution in Cursor on Windows
A vulnerability disclosed in July 2026 allowed a malicious cloned repository to trigger code execution in the Cursor editor on Windows. Reviewing untrusted code by cloning and open
AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server
A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained C
Copilot autocompleted AWS credentials into public repository
While a developer was writing an AWS configuration file, Copilot suggested a completion that included what appeared to be real AWS access keys. The developer accepted the suggestio
Devin confidently shipped code that passed tests but had a SQL injection vulnerability
Tasked with adding a search feature, Devin built it using string concatenation for SQL queries instead of parameterized queries. All functional tests passed because the tests didn'
Clinejection: an AI issue-triage workflow enabled arbitrary code execution on the CI runner
The 'Clinejection' incident, disclosed in February 2026, showed how AI agents wired into CI/CD multiply risk. Cline had added an AI-powered issue-triage workflow in December 2025 t
GitHub Copilot suggested 2,702 valid secrets — 33% of extracted keys were real, live credentials
Research from GitGuardian and the Chinese University of Hong Kong showed GitHub Copilot regurgitating real secrets memorized from its training data. Across 8,127 Copilot suggestion
Vibe-coded Moltbook exposed 1.5M API keys and 35,000 user emails via misconfigured database
Moltbook, an application built through AI 'vibe coding', exposed roughly 1.5 million API keys and 35,000 user email addresses directly to the public internet. The cause was a misco
Scan of 5,600 vibe-coded apps found 2,000+ high-impact vulns, 400+ exposed secrets, PII leaks
In October 2025, API security firm Escape scanned 5,600 publicly available 'vibe-coded' applications — apps built primarily by prompting AI agents. The scan found more than 2,000 h
CamoLeak: hidden prompt injection turned GitHub Copilot Chat into a silent code/secret exfiltration channel (CVSS 9.6)
Security researcher Omer Mayraz of Legit Security disclosed CamoLeak, a critical (CVSS 9.6) vulnerability in GitHub Copilot Chat discovered in June 2025. By planting hidden prompt-
Vibe-coded Tea app leaked 72,000 IDs and selfies plus 1.1M private messages from an unsecured bucket
Tea, a women-only dating-safety app, suffered two breaches in July 2025 that a hacker attributed to 'vibe coding' — heavy reliance on AI tools to ship product without security revi
Hacker slipped a data-wiping prompt into Amazon Q's VS Code extension, shipped to ~1M installs
In July 2025 an attacker submitted a pull request to the open-source aws-toolkit-vscode GitHub repository, was granted admin credentials, and injected a prompt-injection payload th
EchoLeak: a zero-click email silently exfiltrated data from Microsoft 365 Copilot (CVE-2025-32711, CVSS 9.3)
EchoLeak (CVE-2025-32711, CVSS 9.3) was the first documented zero-click prompt-injection exploit against a production LLM system — Microsoft 365 Copilot across Word, Excel, PowerPo
A hidden comment made GitLab Duo leak private source code and inject rogue HTML
Legit Security disclosed a remote prompt-injection vulnerability in GitLab Duo, GitLab's AI coding assistant, in May 2025. A hidden comment was enough: Duo parsed malicious instruc
Lovable-built apps inverted access control, exposing 170+ production databases (CVE-2025-48757)
Apps built with the AI app-builder Lovable shipped with inverted access-control logic, tracked as CVE-2025-48757. The generated code implemented authorization using Supabase remote
Rule Files Backdoor: hidden Unicode in config files made Copilot and Cursor emit malicious code
Researchers at Pillar Security disclosed a technique they named the 'Rule Files Backdoor' affecting GitHub Copilot and Cursor. By embedding hidden instructions — using invisible Un
Slack AI could be tricked into leaking private-channel data via indirect prompt injection
In August 2024, the PromptArmor team disclosed an indirect prompt-injection flaw in Slack AI that allowed data exfiltration from private channels and DMs the attacker couldn't acce
Claude Code MCP trust boundary failures allow workspace privilege escalation
Security researcher Jashid Sany documented three systemic trust boundary failures in Claude Code v2.1.63 related to the Model Context Protocol (MCP): (1) weak MCP server configurat
Claude Opus 4.5 leaked API key in console logs during YouTube scraper build
While building a YouTube scraper, Claude Opus 4.5 implemented logging naively such that the API key was exposed in plain text in the console output. The developer had to add explic
Manus AI leaked its own system prompt when a user simply asked it to read its internal directory
Manus AI, a Chinese startup's 'general AI agent,' leaked its own system prompt shortly after a high-profile launch. A user identified as 'jian' found that simply asking Manus to ou