AI Security Roundup: LLM, MCP, RAG, and Agentic Vulnerabilities (May 1, 2026)

The exploitation timelines are collapsing and the attack surface is expanding simultaneously. LiteLLM's pre-auth SQL injection was weaponized in 36 hours, exposing every stored API key and provider credential across thousands of deployments. Google published the first large-scale measurement of prompt injection in the wild, documenting a 32% increase in malicious attempts. Vercel was breached through a Context.ai supply chain compromise, with stolen data listed at $2M on BreachForums. Unit 42 discovered new MCP Sampling attack vectors that let servers covertly invoke tools. Flowise's CVSS 10.0 remains under active exploitation with 12,000+ instances still exposed. And Fortinet's 2026 threat report documented a 389% ransomware surge powered by agentic "shadow agents." RSAC 2026 confirmed what the data already showed: agentic AI security is no longer a future problem.

LiteLLM pre-auth SQL injection exploited in 36 hours

CVE-2026-42208 is a pre-authentication SQL injection in LiteLLM, the popular open-source LLM gateway/proxy, with a CVSS score of 9.3. In affected versions (1.81.16 through 1.83.6), the Bearer token value from the Authorization header is concatenated directly into a SELECT query against the LiteLLM_VerificationToken table without parameterized binding. Because this occurs before authentication is decided, any HTTP client that can reach the proxy port can exploit it.

The fix shipped in version 1.83.7-stable on April 19. The first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 36 hours after the GitHub advisory was indexed. Attackers deliberately enumerated three high-value tables: virtual API keys, stored provider credentials (OpenAI, Anthropic, Azure keys), and the proxy's environment-variable configuration. The breach at Mercor, the AI-powered hiring platform that exposed 4TB of sensitive data, was traced to the LiteLLM supply chain and attributed to the hacking group TeamPCP.

Why it matters: LiteLLM sits in the critical path between applications and model providers, routing requests and storing API keys for every downstream LLM service. A pre-auth SQL injection at this layer is catastrophic by design: a single exploit exposes every credential the proxy manages. The 36-hour exploitation window demonstrates that AI infrastructure is now subject to the same rapid weaponization cycles as traditional enterprise software, but with the added exposure of model provider API keys worth potentially millions in compute credits. Organizations running LiteLLM need to treat it with the same security rigor as a database server or secrets manager, not as a lightweight development utility.

Google publishes first large-scale prompt injection measurement

On April 23, Google published the first systematic, large-scale measurement of prompt injection in the wild on its Security Blog. Researchers performed a broad sweep of Common Crawl public web data and found indirect prompt injection payloads across multiple categories: pranks, SEO manipulation, agent deterrence, data exfiltration, and destructive commands.

The headline finding: a 32% relative increase in malicious prompt injection attempts between November 2025 and February 2026. Categories ranged from experimental and prank injections to fully weaponized payloads. One documented example embedded a PayPal.me link with a $5,000 fixed amount and full transaction processing instructions, not a proof-of-concept but a weaponized financial fraud payload designed to trick AI agents into initiating real payments.

Why it matters: This is the first systematic, web-scale confirmation that prompt injection has moved from academic theory to active real-world abuse. Previous evidence was anecdotal or limited to specific platform telemetry. Google's Common Crawl analysis covers the open web at scale, making the 32% increase figure a population-level measurement rather than a sample. The upward trend signals that sophistication and volume will continue growing as AI agents become more prevalent in web-browsing workflows. For defenders, the PayPal example demonstrates that financial exploitation via prompt injection is no longer theoretical. It is being deployed on the open web, waiting for an agent to browse the wrong page.

Vercel breached via Context.ai supply chain, data listed at $2M

On April 19, Vercel disclosed a breach originating from a supply chain compromise of Context.ai, a third-party AI observability tool. A Context.ai employee was infected with Lumma Stealer malware in approximately February 2026, giving attackers Google Workspace credentials plus keys for Supabase, Datadog, and Authkit. From the compromised support@context.ai account, attackers pivoted into a Vercel employee's Google Workspace account, then into Vercel's internal systems, enumerating and decrypting environment variables.

The dwell time was approximately two months (February to April). Threat actors posted the leaked Vercel database for sale at $2 million on BreachForums. Vercel confirmed in collaboration with GitHub, Microsoft, npm, and Socket that no npm packages were compromised and the supply chain remains safe.

Why it matters: This is a textbook example of how AI tool integrations create lateral movement paths. A single compromised AI observability vendor became the entry point to breach one of the largest web hosting platforms. The attack chain, malware on a vendor employee laptop leading to cloud credential theft leading to customer data exposure, is a pattern that will repeat across the AI tooling ecosystem. Every AI observability, monitoring, and gateway product that holds cloud credentials is now a high-value target. The two-month dwell time suggests that standard detection capabilities did not flag the lateral movement from the AI vendor into Vercel's infrastructure. For security teams, this reinforces the need to treat AI tool integrations as privileged access paths requiring the same monitoring as VPN and identity provider connections.

Unit 42 discovers MCP Sampling attack vectors

Palo Alto Networks Unit 42 published research on new prompt injection attack vectors through MCP Sampling, a relatively new MCP primitive that reverses the typical interaction pattern by allowing MCP servers to actively author prompts rather than passively responding to them.

Unit 42 identified three protocol-level attack vectors. Resource theft: draining AI compute quotas with inflated token usage through server-authored prompts. Conversation hijacking: persistent injected instructions embedded in server responses that carry across interactions. Covert tool invocation: unauthorized file system operations executed without user awareness, triggered by server-authored prompts that instruct the model to call tools the user never requested. Separately, Unit 42 created "Zealot," a multi-agent penetration testing proof-of-concept that tested whether AI could independently compromise a hardened cloud environment without human oversight, finding fully autonomous AI attacks are closer than anticipated.

Why it matters: MCP Sampling transforms a server from a passive tool into an active prompt author with deep influence over model behavior. Most current MCP hosts and clients do not defend against these vectors because the security model assumes servers respond to requests rather than initiate them. The covert tool invocation attack is particularly dangerous: a malicious MCP server can use Sampling to instruct the model to call other tools (file access, network requests, database queries) without the user's knowledge. This creates a new class of prompt injection risk specific to agentic architectures where the injection source is a trusted protocol participant, not untrusted web content. The Zealot research further demonstrates that the offensive capabilities of AI agents are maturing faster than the defensive infrastructure to govern them.

MCP STDIO design flaw: 200,000 servers at risk, Anthropic maintains "expected behavior"

Ox Security continued to press its disclosure of the systemic architectural vulnerability in Anthropic's MCP, following its April 15 publication. The STDIO transport interface in every official MCP SDK (Python, TypeScript, Java, Rust) provides a direct configuration-to-command-execution path. The mechanism will execute any arbitrary OS command. If the command successfully creates an STDIO server it returns a handle, but even when given a different command, the command is executed before returning an error.

The scale remains staggering: 7,000+ publicly accessible MCP servers, 150+ million cumulative package downloads, and up to 200,000 vulnerable instances. The flaw has now spawned at least 11 high- and critical-severity CVEs across major AI platforms including LiteLLM, Flowise, LangChain, Cursor (CVE-2025-54136), LibreChat (CVE-2026-22252), and MCP Inspector (CVE-2025-49596). A total of 30 CVEs have been filed against MCP implementations in 60 days. Anthropic continues to decline to patch, stating the behavior is "expected."

Why it matters: The growing CVE count, now at 30, validates Ox Security's original assessment that this is a systemic architectural issue, not a collection of independent implementation bugs. Each CVE traces back to the same root cause: the STDIO transport executes commands before validating whether they produce a valid MCP server. Anthropic's refusal to address the root cause means every developer building on MCP inherits the code execution risk by default, and the security burden falls entirely on implementers who may not understand they are exposing a command execution primitive. As MCP adoption accelerates, the number of vulnerable implementations will grow proportionally.

Flowise CVSS 10.0 still under active exploitation

CVE-2025-59528, the maximum-severity code injection vulnerability in Flowise, remains under active exploitation with over 12,000 instances still exposed on the internet. The flaw in the CustomMCP node accepts user-provided mcpServerConfig strings and executes them as JavaScript without security validation, granting access to child_process and fs with full Node.js runtime privileges. A second vulnerability, CVE-2026-40933, affects Flowise versions below 3.1.0 with OS command injection via unsafe MCP adapter serialization.

Active exploitation was first detected on April 7 by VulnCheck, initially from a single Starlink IP address. Despite the vulnerability being disclosed in September 2025 and patched in version 3.0.6, the seven-month gap between patch availability and mass exploitation demonstrates that AI infrastructure operators are not applying patches. Organizations should upgrade immediately to version 3.1.1.

Why it matters: The persistence of 12,000+ exposed instances seven months after a patch is available reveals a fundamental operations maturity gap in the AI infrastructure ecosystem. Traditional enterprise software has established patch management processes. AI workflow platforms like Flowise are often deployed by data science and ML teams outside of IT governance, meaning they do not receive the same patching discipline as production web applications or databases. A successful exploit does not just compromise the server. It grants access to every AI workflow, model endpoint, external API integration, API key, and data pipeline running through the instance.

Fortinet threat report: 389% ransomware surge with agentic shadow agents

FortiGuard Labs released the 2026 Global Threat Landscape Report on April 30, documenting that confirmed ransomware victims reached 7,831 globally, a 389% increase year-over-year from approximately 1,600. The surge is fueled by crime-as-a-service kits including WormGPT, FraudGPT, and BruteForceAI. FortiRecon intelligence found a 79% increase in comprehensive data set theft enabled by agentic AI.

The top targeted sectors were manufacturing (1,284 victims), business services (824), and retail (682). Geographic concentration: US (3,381), Canada (374), Germany (291). The report introduces the concept of cybercrime now operating as a system with "shadow agents," autonomous AI tools that compress the entire attack lifecycle from reconnaissance through exploitation to exfiltration.

Why it matters: The 389% figure is not a projection. It is a confirmed count of ransomware victims across FortiGuard's telemetry. The "shadow agents" concept describes a qualitative shift: attackers are no longer just using AI to write phishing emails or generate malware. They are deploying autonomous AI agents that execute multi-step attack chains with minimal human oversight. The 79% increase in data theft attributed to agentic AI specifically suggests that AI-enabled data exfiltration, where agents autonomously identify, collect, and exfiltrate valuable data sets, is becoming a primary attack pattern rather than an edge case.

OWASP publishes Agentic AI security landscape and red teaming taxonomy

The OWASP GenAI Security Project published three separate AI security landscape documents in Q2 2026: the AI Security Solutions Landscape for LLM and GenAI Apps, the AI Security Solutions Landscape for Agentic AI, and a first-ever Red Teaming Landscape. The formal separation of agentic AI into its own document confirms that OWASP treats these as categorically different problem domains.

The Top 10 for Agentic Applications 2026 (ASI01-ASI10), developed with 100+ industry experts, focuses on failures from goal misalignment, tool misuse, delegated trust, inter-agent communication, persistent memory manipulation, and emergent autonomous behavior. The Red Teaming Landscape provides the first standardized framework for adversarial testing of agent reasoning paths, tool use patterns, and inter-agent communication flows. Both Palo Alto Networks and Microsoft published companion blogs mapping their security controls to the OWASP agentic framework.

Why it matters: By publishing agentic AI as a separate document from LLM/GenAI, OWASP is making a formal architectural statement. An LLM generating text responses has a fundamentally different threat model than an agent executing multi-step workflows with access to tools, databases, payment systems, and other agents. The Red Teaming Landscape fills a critical gap: until now, security teams had no standardized methodology for adversarial testing of agent systems. The vendor alignment from Palo Alto Networks and Microsoft confirms that the OWASP agentic framework is becoming the reference taxonomy around which the security vendor ecosystem is organizing.

References

1. The Hacker News: LiteLLM CVE-2026-42208 SQL Injection Exploited in 36 Hours
2. Sysdig: CVE-2026-42208 Targeted SQL Injection Against LiteLLM
3. Google Security Blog: AI Threats in the Wild
4. SecurityWeek: Malicious AI Prompt Injection Attacks Increasing
5. TechCrunch: Vercel Confirms Breach via Context AI
6. Trend Micro: Vercel Breach OAuth Supply Chain Attack
7. Unit 42: New Prompt Injection Attack Vectors Through MCP Sampling
8. The Hacker News: Anthropic MCP Design Vulnerability Enables RCE
9. Ox Security: Critical Systemic Vulnerability at the Core of MCP
10. The Hacker News: Flowise AI Agent Builder Under Active CVSS 10.0 Exploitation
11. BleepingComputer: Max Severity Flowise RCE Now Exploited
12. Fortinet: 2026 Global Threat Landscape Report
13. OWASP: Top 10 for Agentic Applications 2026
14. OWASP: AI Security Solutions Landscape for Agentic AI Q2 2026
15. Palo Alto Networks: OWASP Agentic AI Security