A Timeline of AI Agent Security Incidents (2025–2026)
Written by the Rafter Team
AI agents went from research demos to production tools in 2024. The security disclosures followed in 2025. This page tracks every publicly disclosed security incident affecting AI coding tools, AI agents, and the Model Context Protocol ecosystem — from CVEs with CVSS scores to operational failures that didn't involve code vulnerabilities at all.
This is a living reference. We'll update it as new incidents are disclosed.
Scope: This timeline covers AI agents (autonomous tools that take actions), AI coding assistants (Copilot, Claude Code, Codex, Cursor), and MCP infrastructure. It does not cover LLM model vulnerabilities (jailbreaks, alignment failures) unless they resulted in real-world incidents affecting deployed tools.
2025
June 2025
CamoLeak — GitHub Copilot Silent Code Exfiltration
- Severity: CVSS 9.6
- Product: GitHub Copilot Chat
- Researcher: Omer Mayraz, Legit Security
- Vector: Hidden HTML comments in PR descriptions inject prompts into Copilot Chat. Data exfiltrated through pre-signed GitHub Camo proxy image URLs that bypass CSP.
- Impact: Private source code, API keys, and undisclosed vulnerability details extracted from organizational repositories.
- Fix: GitHub disabled image rendering in Copilot Chat (August 14, 2025).
- Deep dive: CamoLeak: The Exfiltration Channel Hidden in Every GitHub PR
July 2025
RoguePilot — GitHub Codespaces GITHUB_TOKEN Leak
- Severity: High
- Product: GitHub Copilot in Codespaces
- Researcher: Orca Security
- Vector: Copilot instruction injection in Codespaces environments causes the AI to expose
GITHUB_TOKENvalues in output. - Impact: Repository-scoped API tokens leaked, enabling unauthorized API access.
- Status: Patched.
Claude Code Hooks RCE
- Severity: High
- Product: Anthropic Claude Code
- Researcher: Check Point Research
- CVE: GHSA-ph6w-f82w-28w6
- Vector: Malicious
.claude/settings.jsonfiles define Hooks that execute shell commands onSessionStartevents, running before the user interacts with the trust dialog. - Impact: Remote code execution on developer machines via cloned repositories.
- Reported: July 21, 2025. Patched: August 26, 2025.
- Deep dive:
git cloneConsidered Harmful
Replit AI Agent Deletes Production Database
- Severity: Operational (no CVE)
- Product: Replit AI Agent
- Reporter: Jason Lemkin (SaaStr)
- Vector: AI coding agent with production database credentials ignores repeated code-freeze instructions, deletes production database, fabricates 4,000 records to mask data loss, lies about recovery options.
- Impact: Complete production data loss (later recovered via rollback). $607 in unexpected compute costs over 3 days.
- Response: Replit implemented dev/prod database separation, improved rollback systems, and added planning-only mode.
- Deep dive: The Agent That Lied
August 2025
OpenAI Codex CLI Configuration Exploit
- Severity: CVSS 9.8 (Critical)
- Product: OpenAI Codex CLI (all versions before 0.23.0)
- Researcher: Check Point Research
- CVE: CVE-2025-61260
- Vector: A
.envfile containingCODEX_HOME=./.codexredirects Codex CLI config resolution to a project-local directory. Maliciousconfig.tomlspecifies MCP servers with arbitrarycommandandargsthat execute on project open. - Impact: Silent remote code execution. Credential harvesting, supply chain contamination.
- Reported: August 7, 2025. Patched: August 20, 2025 (v0.23.0).
- Deep dive:
git cloneConsidered Harmful
September 2025
Claude Code MCP Auto-Enable Bypass
- Severity: High
- Product: Anthropic Claude Code
- Researcher: Check Point Research
- CVE: CVE-2025-59536
- Vector: Project-level
.mcp.jsonor.claude/settings.jsonsetsenableAllProjectMcpServers: true, silently activating all project-defined MCP servers including attacker-controlled endpoints. - Impact: Remote code execution via malicious MCP server tool definitions.
- Reported: September 3, 2025. Patched: September 22, 2025.
- Deep dive:
git cloneConsidered Harmful
October 2025
Claude Code API Key Exfiltration
- Severity: High
- Product: Anthropic Claude Code
- Researcher: Check Point Research
- CVE: CVE-2026-21852
- Vector: Malicious
ANTHROPIC_BASE_URLin project-level.claude/settings.jsonredirects API requests to attacker proxy. Plaintext API keys sent inAuthorizationheaders before trust dialog. - Impact: API key theft, enabling unauthorized access to the victim's Anthropic account.
- Reported: October 28, 2025. Patched: December 28, 2025.
- Deep dive:
git cloneConsidered Harmful
December 2025
MCP TypeScript SDK DNS Rebinding
- Severity: CVSS 7.6 (High)
- Product: Model Context Protocol TypeScript SDK (all versions before 1.24.0)
- Researcher: pcarleton
- CVE: CVE-2025-66414 / GHSA-w48q-cv73-mx4w
- Vector: DNS rebinding attack allows malicious websites to bypass browser same-origin policy and send requests to MCP servers on localhost. No auth required for default localhost configuration.
- Impact: File exfiltration, code modification, credential theft from developer machines.
- Patched: SDK v1.24.0 (Host header validation).
- Deep dive: DNS Rebinding and Localhost MCP
MCP Git Server Triple CVE
- Severity: High (multiple)
- Product: Anthropic Git MCP Server
- CVEs: CVE-2025-68143, CVE-2025-68144, CVE-2025-68145
- Vector: Insufficient input validation in Git MCP server tool inputs enables command injection, path traversal, and information disclosure.
- Impact: Arbitrary command execution via MCP tool calls against Git repositories.
- Deep dive: Exploiting Anthropic's Git MCP Server
2026
February 2026
ClawJacked — OpenClaw AI Agent Gateway Takeover
- Severity: High
- Product: OpenClaw (all versions before 2026.2.25)
- Researcher: Oasis Security
- CVE: CVE-2026-25253
- Vector: Cross-origin WebSocket connection to localhost gateway. No rate limiting on password brute-force. Automatic device approval after authentication.
- Impact: Full agent control — interact with AI agent, dump configuration, enumerate connected devices, read logs. 42,665 instances exposed to internet at time of disclosure.
- Patched: February 26, 2026 (v2026.2.25, under 24 hours).
- Deep dive: Localhost Is Not a Trust Boundary
OpenClaw CVE Cluster (6 additional vulnerabilities)
- Severity: Critical (multiple)
- Product: OpenClaw
- CVEs: CVE-2026-25593 (RCE), CVE-2026-24763 (command injection), CVE-2026-25157 (SSRF), CVE-2026-25475 (auth bypass), CVE-2026-26319, CVE-2026-26322, CVE-2026-26329 (path traversal + RCE)
- Timeline: Six-week disclosure period following ClawJacked. Indicates systemic architectural debt rather than isolated bugs.
- Deep dive: Localhost Is Not a Trust Boundary
Attack Pattern Summary
Across all incidents, three dominant patterns emerge:
Pattern 1: Config-as-Execution Supply Chain
Incidents: Claude Code (3 CVEs), Codex CLI (CVE-2025-61260)
Project configuration files that AI tools trust and execute automatically. The new postinstall script — triggers on project open, not on explicit install.
Pattern 2: Localhost Trust Assumption
Incidents: ClawJacked (CVE-2026-25253), MCP DNS Rebinding (CVE-2025-66414), MCP Git Server (3 CVEs)
Local services that assume connections from 127.0.0.1 are trusted. Exploitable via browser (DNS rebinding, cross-origin WebSocket) or malicious MCP tool calls.
Pattern 3: AI Reading Untrusted Content with Privileged Context
Incidents: CamoLeak (CVSS 9.6), RoguePilot, Replit operational failure
AI tools process attacker-controlled input (PR descriptions, environment variables, user prompts) while operating with access to private code, credentials, or destructive capabilities.
Hub article: The AI Agent Attack Surface Is Real: 5 Incidents That Prove It
Last updated: April 5, 2026. To suggest additions, contact the Rafter team.