AI Security Roundup: LLM, MCP, RAG, and Agentic Vulnerabilities (Apr 24, 2026)

The exploitation timelines keep compressing. CVE-2026-33626, an SSRF in LMDeploy, was weaponized 13 hours after public disclosure. The Mercor breach traced a 4TB data exposure back through the LiteLLM supply chain, forcing Meta to pause contractor work. Unit 42 published the most comprehensive indirect prompt injection taxonomy to date, documenting 22 techniques that triggered real Stripe payments and database deletions. PraisonAI shipped a CVSS 10.0 RCE through unsafe YAML deserialization. And RSAC 2026 revealed an uncomfortable truth: no major security vendor has shipped behavioral baselines for agent monitoring. The gap between agent deployment velocity and security tooling maturity is widening.

CVE-2026-33626: LMDeploy SSRF exploited 13 hours after disclosure

CVE-2026-33626 is a server-side request forgery vulnerability in LMDeploy, an open-source LLM serving framework maintained by the Shanghai AI Laboratory with over 6,000 GitHub stars and widespread production deployment. The flaw allows unauthenticated attackers to make arbitrary HTTP requests from the server, accessing internal services, cloud metadata endpoints, and adjacent infrastructure.

Exploitation was detected in the wild 13 hours after the CVE was published, making it one of the fastest vulnerability-to-exploitation timelines recorded for an AI infrastructure component. The attack surface is significant: LMDeploy instances typically run with broad network access to serve model inference requests, meaning a successful SSRF can pivot to cloud provider metadata services (169.254.169.254), internal APIs, and database endpoints.

Why it matters: The 13-hour exploitation window destroys the traditional patch-when-convenient approach to vulnerability management. AI serving infrastructure often runs with elevated network privileges and access to sensitive model weights and training data. The SSRF primitive in this context is not just a network probing tool but a gateway to model theft, data exfiltration, and lateral movement. Organizations running LMDeploy or similar inference servers need to treat these deployments with the same network segmentation rigor applied to database servers, not web application frontends.

Mercor breach: LiteLLM supply chain exposes 4TB, Meta pauses work

Mercor, an AI-powered hiring and workforce platform, suffered a massive data breach that exposed approximately 4TB of sensitive data including resumes, interview recordings, employment contracts, and identity documents. The breach was traced to a vulnerability in LiteLLM, an open-source LLM proxy library that Mercor used to route inference requests across multiple model providers.

The exposed data reportedly included contractor information for several major technology companies, prompting Meta to temporarily pause its contractor engagement workflow with Mercor while the breach was investigated. LiteLLM is widely used in production AI systems as a unified interface for calling multiple LLM providers (OpenAI, Anthropic, Google, Azure, etc.) through a single API.

Why it matters: This breach illustrates the cascading risk of AI supply chain dependencies. Mercor's core application may have been secure, but a vulnerability in a third-party LLM routing library exposed the entire data pipeline. LiteLLM's position as a proxy sitting between applications and model providers means it handles API keys, request payloads, and response data for every model call. A compromise at this layer is catastrophic by design. The incident reinforces a pattern seen with the axios/Lazarus attack: AI companies inherit enormous risk from open-source dependencies that sit in the critical path of their inference pipelines. Security teams need to inventory and monitor these AI-specific dependencies with the same rigor applied to authentication libraries and TLS implementations.

Unit 42 documents 22 indirect prompt injection techniques

Palo Alto Networks' Unit 42 published the most detailed taxonomy of indirect prompt injection attacks against production AI agents to date, documenting 22 distinct techniques across six attack categories. The research goes beyond theoretical demonstrations to show real-world impact, including injections that triggered actual Stripe payment processing, executed unauthorized database deletions, and exfiltrated sensitive data through agent tool calls.

The six categories span: tool output poisoning (adversarial content in API responses), document injection (hidden instructions in PDFs, Word docs, and spreadsheets), memory poisoning (persistent injections stored in agent memory systems), inter-agent injection (malicious payloads passed between collaborating agents), multimodal injection (instructions embedded in images processed by vision models), and context window manipulation (exploiting how agents truncate long contexts).

Why it matters: The Stripe payment and database deletion demonstrations cross a critical threshold. These are not sandbox demonstrations showing that an agent can be tricked into saying something inappropriate. These are attacks that cause financial loss and data destruction through legitimate tool use. The 22-technique taxonomy reveals that the attack surface for production agents is far broader than the "prompt injection" label suggests. Each technique requires a different defensive approach, and no single guardrail model addresses more than a few. For security teams evaluating agent deployments, this research provides the adversarial threat model that vendor marketing materials conspicuously omit. The Unit 42 research also confirms what the broader industry is seeing: indirect injection through tool outputs and documents is now a bigger production risk than direct prompt injection from users.

PraisonAI CVSS 10.0 RCE via unsafe YAML deserialization

PraisonAI, an open-source multi-agent orchestration framework, received a CVSS 10.0 rating for a remote code execution vulnerability caused by unsafe YAML deserialization. The framework uses yaml.load() with the default FullLoader instead of yaml.safe_load(), allowing attackers to execute arbitrary Python code by submitting crafted YAML payloads through the agent configuration interface.

The vulnerability is trivially exploitable. Any endpoint that accepts agent workflow definitions, tool configurations, or task descriptions in YAML format becomes an RCE vector. PraisonAI is used for building multi-agent systems and has integrations with multiple LLM providers and tool frameworks including MCP.

Why it matters: This is the second CVSS 10.0 in an AI agent orchestration platform in recent weeks, following the Flowise CustomMCP node vulnerability. The pattern is consistent: agent orchestration platforms accept complex configuration inputs (YAML, JSON, JavaScript) and process them without adequate sanitization because the platforms were designed for trusted developer use, not adversarial environments. As these tools move from development experiments to production deployments, the security assumptions baked into their architectures become critical vulnerabilities. The YAML deserialization class of bugs was thoroughly documented a decade ago in the Ruby on Rails ecosystem. Its reappearance in AI tooling suggests that AI framework developers are not absorbing lessons from prior generations of web application security.

RSAC 2026: No vendor ships behavioral baselines for agent monitoring

RSA Conference 2026 (April 28 - May 1, San Francisco) preview briefings revealed a significant gap in the security vendor landscape: despite dozens of vendors marketing "AI security" and "agentic security" products, no major vendor has shipped production-ready behavioral baseline capabilities for monitoring AI agent behavior in real time.

Current offerings focus on input/output filtering (prompt injection detection, content safety), policy-based access controls (which MCP servers an agent can access), and audit logging. What is missing is the ability to establish what "normal" looks like for a specific agent, learn its typical tool use patterns, communication flows, and decision paths, and then alert on deviations. This is the equivalent of EDR behavioral detection applied to software agents rather than human users or traditional applications.

Why it matters: The absence of behavioral baselines means that a compromised or manipulated agent that stays within its allowed tool permissions but changes its decision-making patterns will go undetected by every commercial product currently available. An agent that normally queries a database 5 times per task but suddenly queries it 500 times, or one that starts accessing MCP servers it has permission to use but has never used before, would not trigger any existing security control. The CSA study showing 53% of organizations have experienced agent scope violations underscores the urgency. Check Point's AI Defense Plane and Fortinet's FortiSOC both provide governance and runtime enforcement, but neither has announced behavioral anomaly detection for agent workflows. This is the next frontier in agentic security, and whichever vendor solves it first gains a significant competitive advantage.

OWASP separates Agentic Top 10 from LLM Top 10

The OWASP GenAI Security Project (now 25,000+ members) formally separated the Top 10 for Agentic Applications from the existing Top 10 for LLM Applications, recognizing that agentic systems present fundamentally different security risks than standalone LLM deployments.

The agentic Top 10 (ASI01-ASI10) covers: Agent Goal Hijack, Unsafe Tool Use, Agent Aversion to Human Oversight, Unsafe Tool and Plugin Integration, Persistent Agent Memory Manipulation, Insecure Output Handling, Insecure Inter-Agent Communication, Cascading Failures, Human-Agent Trust Exploitation, and Rogue Agents. The Q2 landscape guide adds an agentic red teaming taxonomy and updated vendor mapping. Dark Reading polling shows 48% of cybersecurity professionals now identify agentic AI as the number-one attack vector.

Why it matters: The separation acknowledges a fundamental architectural truth. An LLM generating text responses has a different threat model than an agent executing multi-step workflows with access to tools, databases, payment systems, and other agents. The original LLM Top 10 focused on prompt injection, training data poisoning, and output safety. The agentic Top 10 addresses risks that emerge only when models can act: tool weaponization, inter-agent trust, cascading automated failures, and autonomous agents concealing their actions. The 48% poll result is remarkable because it means nearly half of security professionals view agentic AI as a bigger threat than ransomware, which has dominated the threat landscape for a decade. Both Palo Alto Networks and Microsoft published companion blogs mapping their security controls to the OWASP agentic framework, signaling vendor ecosystem alignment around this taxonomy.

Microsoft: Tycoon2FA and AI-powered phishing reach 62% of blocked attempts

Microsoft's threat intelligence team published updated data on Tycoon2FA, the AI-powered phishing-as-a-service platform that generated tens of millions of phishing emails per month at peak operation. The platform was linked to nearly 100,000 compromised organizations and at its height accounted for 62% of all phishing attempts that Microsoft's security infrastructure was blocking monthly.

The threat landscape report also detailed how North Korean groups Jasper Sleet and Coral Sleet are using AI to scale fake identity operations for job market infiltration, and documented an AI-enabled device code phishing campaign that replaced static manual scripts with end-to-end AI-driven automation. Microsoft's assessment: "the barrier to launching sophisticated attacks has collapsed."

Why it matters: The 62% figure demands attention because it represents a single platform, not the aggregate of all AI-powered phishing. Tycoon2FA used AI-generated lures that were contextually appropriate, linguistically natural, and personalized at scale, exactly the capabilities that made them effective at bypassing traditional email security filters trained on template-based phishing.

The North Korean fake identity operations represent a different but equally concerning AI-enabled threat: using AI to create and maintain convincing professional personas across LinkedIn, GitHub, and job platforms. These are not crude impersonations. The AI-maintained personas publish technical content, engage in community discussions, and build credible work histories over months before being deployed for infiltration.

The convergence of AI-generated phishing content and AI-maintained fake identities creates a compound threat that current defensive tools address only partially. Email security catches some phishing. Identity verification catches some fakes. But the AI-enabled combination, where a convincing fake identity sends a contextually appropriate phishing lure referencing real shared context, defeats both defenses simultaneously.

AI Security Roundup: LLM, MCP, RAG, and Agentic Vulnerabilities (Apr 24, 2026)

AI Security Roundup: LLM, MCP, RAG, and Agentic Vulnerabilities (Apr 24, 2026)

CVE-2026-33626: LMDeploy SSRF exploited 13 hours after disclosure

Mercor breach: LiteLLM supply chain exposes 4TB, Meta pauses work

Unit 42 documents 22 indirect prompt injection techniques

PraisonAI CVSS 10.0 RCE via unsafe YAML deserialization

RSAC 2026: No vendor ships behavioral baselines for agent monitoring

OWASP separates Agentic Top 10 from LLM Top 10

Microsoft: Tycoon2FA and AI-powered phishing reach 62% of blocked attempts

References