PolicyLayer MCP Incidents

Cursor Sandbox Escape via Git Hooks (CVE-2026-26268)

Tue, 28 Apr 2026 00:00:00 GMT

Cursor's AI agent can be told to write files. Nothing in versions before 2.5 prevented it from writing to .git/hooks/. An attacker who can inject a prompt into the agent's context, via a malicious repository, a crafted issue body, or a poisoned tool response, can plant a hook script that Git will execute automatically on the next commit, push, or checkout. The sandbox breaks the moment the developer runs a routine Git operation. No second prompt required.

Anthropic MCP STDIO RCE (OX Security disclosure)

Wed, 15 Apr 2026 00:00:00 GMT

OX Security found that Anthropic's official MCP SDKs hand configuration values directly to OS command execution over the STDIO transport. Any path that lets an attacker influence MCP server configuration (a malicious package, a tampered config file, untrusted user input) becomes arbitrary command execution. Ten CVEs landed across downstream projects including LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, MCP Inspector, and Cursor. The supply chain footprint: 7,000+ publicly accessible servers, 150M+ package downloads, up to 200,000 vulnerable instances. Anthropic's response: this is by design. Sanitisation is the developer's job.

Windsurf Zero-Click Prompt Injection to RCE (CVE-2026-30615)

Wed, 15 Apr 2026 00:00:00 GMT

Open a file, get owned. Windsurf 1.9544.26 was the only AI IDE in the OX Security disclosure chain where exploitation required zero user interaction. Attacker-controlled HTML content, when rendered by the IDE, injected instructions that silently modified the local MCP JSON configuration and registered a malicious STDIO server. The MCP SDK did the rest: it launched the server binary and handed the attacker a command execution primitive. No click, no approval prompt, no warning in the developer toolchain.

Flowise and Upsonic MCP Hardening Bypass (CVE-2026-30625 / GHSA-c9gw-hvqq-f33r)

Wed, 15 Apr 2026 00:00:00 GMT

Both Flowise and Upsonic knew MCP STDIO was dangerous and built defences: command allowlists that restricted execution to trusted binaries like npm, npx, and python. OX Security bypassed both in under a minute by passing npx -c <command>. The binary is on the allowlist; the argument that turns it into an arbitrary shell executor is not. The finding is a case study in why surface-level allowlists fail against the MCP STDIO execution model, and why the fix required filtering not just command names but every flag that enables inline execution.

MCPwn (CVE-2026-33032)

Sun, 15 Mar 2026 00:00:00 GMT

Two HTTP requests, full nginx server takeover. nginx-ui shipped its MCP server with AuthRequired() middleware on /mcp but not on its sibling /mcp_message. Anyone on the network could grab a session ID from the protected endpoint, replay it against the unprotected one, and invoke any of twelve destructive tools. One of them, nginx_config_add, accepts arbitrary configuration with auto-reload. Roughly 2,600 instances were exposed on the default port at disclosure; Recorded Future listed it among 31 vulnerabilities under active exploitation in March 2026.

GitHub MCP Prompt Injection: Cross-Repo Data Heist

Mon, 26 May 2025 00:00:00 GMT

A planted issue in a public repo can convince a developer's AI agent to copy private repo contents into that public repo. The official GitHub MCP server hands the agent the user's full GitHub credentials, so private and public scope live in the same context. The agent reads issue bodies as if they were user instructions. Anyone who can open an issue can plant instructions. The attack is the classic confused deputy, executed through tools the user trusted.