Home / Incidents / Security Vulnerability

Security Vulnerability

AI Agent Failure Mode — 20 Documented Incidents

What is Security Vulnerability?

Security vulnerability failures occur when an AI coding agent introduces exploitable security flaws such as XSS, SQL injection, hardcoded credentials, authentication bypasses, path traversal, or insecure deserialization. These are high-severity incidents with potential for real-world exploitation.

20
Total Incidents
9.6
Avg Severity /10
14
Agents Affected
17
Critical

Which AI agent security vulnerabilitys the most?

Github-copilot 4 incidents
Unknown-agent 3 incidents
Claude-code 2 incidents
Gemini-cli 1 incidents
Cursor 1 incidents
Devin 1 incidents
Cline 1 incidents
Multiple-agents 1 incidents
Amazon-q 1 incidents
Microsoft-copilot 1 incidents
Gitlab-duo 1 incidents
Lovable 1 incidents
Manus 1 incidents
Slack-ai 1 incidents

All Security Vulnerability Incidents

STUPID-2026-0027 10/10 CRITICAL Gemini-cli

Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0)

Google released Gemini CLI, an open-source terminal AI agent, on June 25, 2026. Two days later, researchers at Tracebit reported that in its default configuration the agent could s

STUPID-2026-0029 10/10 CRITICAL Cursor

Malicious cloned repository triggered code execution in Cursor on Windows

A vulnerability disclosed in July 2026 allowed a malicious cloned repository to trigger code execution in the Cursor editor on Windows. Reviewing untrusted code by cloning and open

STUPID-2026-0022 10/10 CRITICAL Unknown-agent

AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server

A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained C

STUPID-2026-0004 10/10 CRITICAL Github-copilot

Copilot autocompleted AWS credentials into public repository

While a developer was writing an AWS configuration file, Copilot suggested a completion that included what appeared to be real AWS access keys. The developer accepted the suggestio

STUPID-2026-0006 10/10 CRITICAL Devin

Devin confidently shipped code that passed tests but had a SQL injection vulnerability

Tasked with adding a search feature, Devin built it using string concatenation for SQL queries instead of parameterized queries. All functional tests passed because the tests didn'

STUPID-2026-0030 10/10 CRITICAL Cline

Clinejection: an AI issue-triage workflow enabled arbitrary code execution on the CI runner

The 'Clinejection' incident, disclosed in February 2026, showed how AI agents wired into CI/CD multiply risk. Cline had added an AI-powered issue-triage workflow in December 2025 t

STUPID-2026-0047 10/10 CRITICAL Github-copilot

GitHub Copilot suggested 2,702 valid secrets — 33% of extracted keys were real, live credentials

Research from GitGuardian and the Chinese University of Hong Kong showed GitHub Copilot regurgitating real secrets memorized from its training data. Across 8,127 Copilot suggestion

STUPID-2026-0034 10/10 CRITICAL Unknown-agent

Vibe-coded Moltbook exposed 1.5M API keys and 35,000 user emails via misconfigured database

Moltbook, an application built through AI 'vibe coding', exposed roughly 1.5 million API keys and 35,000 user email addresses directly to the public internet. The cause was a misco

STUPID-2026-0032 10/10 CRITICAL Multiple-agents

Scan of 5,600 vibe-coded apps found 2,000+ high-impact vulns, 400+ exposed secrets, PII leaks

In October 2025, API security firm Escape scanned 5,600 publicly available 'vibe-coded' applications — apps built primarily by prompting AI agents. The scan found more than 2,000 h

STUPID-2026-0048 10/10 CRITICAL Github-copilot

CamoLeak: hidden prompt injection turned GitHub Copilot Chat into a silent code/secret exfiltration channel (CVSS 9.6)

Security researcher Omer Mayraz of Legit Security disclosed CamoLeak, a critical (CVSS 9.6) vulnerability in GitHub Copilot Chat discovered in June 2025. By planting hidden prompt-

STUPID-2026-0038 10/10 CRITICAL Unknown-agent

Vibe-coded Tea app leaked 72,000 IDs and selfies plus 1.1M private messages from an unsecured bucket

Tea, a women-only dating-safety app, suffered two breaches in July 2025 that a hacker attributed to 'vibe coding' — heavy reliance on AI tools to ship product without security revi

STUPID-2026-0035 10/10 CRITICAL Amazon-q

Hacker slipped a data-wiping prompt into Amazon Q's VS Code extension, shipped to ~1M installs

In July 2025 an attacker submitted a pull request to the open-source aws-toolkit-vscode GitHub repository, was granted admin credentials, and injected a prompt-injection payload th

STUPID-2026-0051 10/10 CRITICAL Microsoft-copilot

EchoLeak: a zero-click email silently exfiltrated data from Microsoft 365 Copilot (CVE-2025-32711, CVSS 9.3)

EchoLeak (CVE-2025-32711, CVSS 9.3) was the first documented zero-click prompt-injection exploit against a production LLM system — Microsoft 365 Copilot across Word, Excel, PowerPo

STUPID-2026-0061 10/10 CRITICAL Gitlab-duo

A hidden comment made GitLab Duo leak private source code and inject rogue HTML

Legit Security disclosed a remote prompt-injection vulnerability in GitLab Duo, GitLab's AI coding assistant, in May 2025. A hidden comment was enough: Duo parsed malicious instruc

STUPID-2026-0031 10/10 CRITICAL Lovable

Lovable-built apps inverted access control, exposing 170+ production databases (CVE-2025-48757)

Apps built with the AI app-builder Lovable shipped with inverted access-control logic, tracked as CVE-2025-48757. The generated code implemented authorization using Supabase remote

STUPID-2026-0028 10/10 CRITICAL Github-copilot

Rule Files Backdoor: hidden Unicode in config files made Copilot and Cursor emit malicious code

Researchers at Pillar Security disclosed a technique they named the 'Rule Files Backdoor' affecting GitHub Copilot and Cursor. By embedding hidden instructions — using invisible Un

STUPID-2026-0053 10/10 CRITICAL Slack-ai

Slack AI could be tricked into leaking private-channel data via indirect prompt injection

In August 2024, the PromptArmor team disclosed an indirect prompt-injection flaw in Slack AI that allowed data exfiltration from private channels and DMs the attacker couldn't acce

STUPID-2026-0024 7.5/10 HIGH Claude-code

Claude Code MCP trust boundary failures allow workspace privilege escalation

Security researcher Jashid Sany documented three systemic trust boundary failures in Claude Code v2.1.63 related to the Model Context Protocol (MCP): (1) weak MCP server configurat

STUPID-2026-0019 7.5/10 HIGH Claude-code

Claude Opus 4.5 leaked API key in console logs during YouTube scraper build

While building a YouTube scraper, Claude Opus 4.5 implemented logging naively such that the API key was exposed in plain text in the console output. The developer had to add explic

STUPID-2026-0063 7.5/10 HIGH Manus

Manus AI leaked its own system prompt when a user simply asked it to read its internal directory

Manus AI, a Chinese startup's 'general AI agent,' leaked its own system prompt shortly after a high-profile launch. A user identified as 'jian' found that simply asking Manus to ou