Bharat Threat FeedGlobal threats, decoded for Indian defenders
AI Threat Watch · 9 July 2026

AI Threat Watch — 9 July 2026

This issue covers four developments from the past three weeks sharing a common failure mode: AI developer tools — workflow platforms, coding assistants, and IDE extensions — are being exploited by subverting the trust they extend to authenticated sessions, external tool output, and workspace configuration files. A Langflow IDOR is under active exploitation and on CISA KEV; CrowdStrike's adversary prompt injection toolkit has exceeded 200 documented methods; AI coding agents are being hijacked through Sentry error events; and Amazon Q Developer auto-started untrusted server configurations from cloned repositories.
1CriticalCVSS 9.9

CVE-2026-55255 (CVSS 9.9): Langflow cross-tenant IDOR on CISA KEV; attacker-controlled workflows being used to extract embedded API keys and cloud credentials

An insecure direct object reference in Langflow's /api/v1/responses endpoint allows any authenticated user to execute another user's AI workflow by supplying its UUID — the flow-resolution function queries the database without checking ownership. Sysdig Threat Research observed active exploitation from 25 June 2026; CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog on 7 July with a federal agency remediation deadline of 10 July. The documented attack pattern: enumerate flow UUIDs via the /api/v1/flows/ listing endpoint, replay them at the responses endpoint, then inject prompts into the hijacked workflow to surface API keys and secrets stored in the victim's flows. Fixed in Langflow 1.9.1.

Why it matters for IndiaIndian GCCs, AI startups, and data engineering teams using Langflow for RAG pipelines, internal automation, or SOC workflows face a direct tenant-isolation failure. A single authenticated account — including one obtained through credential compromise — is sufficient to enumerate and exploit other users' workflows on the same deployment. This is the third distinct Langflow vulnerability to reach active exploitation in rapid succession, reflecting sustained adversary focus on AI workflow infrastructure.
ActionUpgrade to Langflow 1.9.1 or later immediately. Rotate all API keys and cloud credentials accessible from Langflow flows or environments. Review /api/v1/flows/ and /api/v1/responses access logs for UUID enumeration patterns across user boundaries. Restrict all Langflow instances to authenticated, network-segmented deployments with no direct internet exposure.
SourceSysdig Threat Research (26 June 2026); Help Net Security (8 July 2026); CISA KEV catalog (7 July 2026).
2

CrowdStrike documents five new prompt injection techniques; adversary taxonomy of AI agent attacks now exceeds 200 methods

CrowdStrike published an expansion to its prompt injection taxonomy on 7 July 2026, adding 18 new techniques to a catalogue that now documents more than 200 distinct methods. Five are of particular operational relevance to enterprise AI environments: a delayed-trigger technique that embeds a dormant instruction that activates only when a specified keyword or condition appears later in context; vocabulary suppression that blocks safety-related tokens to steer the model away from standard refusal responses; payload fragmentation that splits a malicious instruction across components appearing innocuous individually but reassembling on processing; insertion of counterfeit system-delimiter tokens to promote untrusted content to directive-level priority; and injection through trusted data sources — documents, CRM records, issue tracker entries, or knowledge-base articles — introduced to the AI context by the user rather than by the attacker directly.

Why it matters for IndiaIndian organisations deploying AI agents over business documents, customer records, ticketing systems, and ERP data are running on precisely the surfaces this structured adversary toolkit targets. Prompt injection is no longer improvised: adversaries have a documented, indexed discipline with named techniques. CrowdStrike's 2026 Global Threat Report confirmed prompt injection campaigns hitting more than 90 organisations in 2025 for credential and cryptocurrency theft.
ActionTreat every data source an AI agent ingests — documents, database records, support tickets, retrieved web content — as potentially hostile input, regardless of how it arrived. Apply structured validation before agent-generated outputs drive automated or financial actions. Log all tool calls and model-driven decisions with sufficient context to reconstruct which instruction drove each action.
SourceCrowdStrike blog (7 July 2026); Cybersecurity News (8 July 2026); GBHackers (July 2026).
3

Agentjacking: Tenet Security confirms 85% success rate hijacking Claude Code, Cursor, and Codex through fake Sentry error events

Sentry's data source name (DSN) is intentionally public and embedded in client-side JavaScript for legitimate error ingestion. Tenet Security published research on 17 June 2026 demonstrating that an attacker can craft fake Sentry error events containing hidden prompt injection instructions; when the Sentry MCP server delivers these to an AI coding agent, the agent processes the attacker's instructions as authoritative diagnostic guidance and executes them. Testing across 100-plus agent deployments confirmed an 85% success rate; Tenet identified 2,388 organisations with injectable DSNs, including a confirmed Fortune 100 enterprise. Affected agents include Claude Code, Cursor, and Codex. Tenet has open-sourced a hardening tool, agent-jackstop, with drop-in configurations for Cursor and Claude Code.

Why it matters for IndiaDevelopment teams and GCCs using AI coding assistants alongside Sentry for error monitoring face a combined-surface exposure. The attack requires no access to internal systems — only the public DSN, which is discoverable from any deployed frontend — and converts the organisation's own observability pipeline into an agent injection channel.
ActionTreat MCP tool output from external observability services as untrusted input rather than authoritative system context. Restrict coding agent permissions in CI pipelines to the minimum required for the task. Apply Tenet Security's agent-jackstop hardening configuration for Claude Code and Cursor. Audit which agents have Sentry MCP integration enabled and disable it where not operationally required.
SourceTenet Security (17 June 2026); The Hacker News (June 2026); Cloud Security Alliance Research Note (12–14 June 2026).
4

CVE-2026-12957: Amazon Q Developer extension registered MCP server configurations from workspace files without developer confirmation, exposing AWS credentials

Wiz Research reported on 26 June 2026 that the Amazon Q Developer Extension for VS Code automatically loaded and started MCP server configurations found in project workspace directories when a repository was opened, without presenting a trust confirmation step. An attacker who places a malicious configuration file in a repository can start an attacker-controlled server the moment a developer opens the project; that server runs with access to the developer's active AWS credentials and environment variables. AWS patched the flaw in Language Server version 1.69.0, released before public disclosure; the language server updates automatically in most network environments.

Why it matters for IndiaGCC development teams open and review external repositories as routine practice — for code review, dependency evaluation, and vendor assessment. In AWS-heavy GCC environments running Amazon Q Developer, a single repository clone on an unpatched workstation is a potential AWS credential exposure event. Where outbound auto-update traffic is restricted at the network perimeter, manual update verification is necessary.
ActionVerify AWS Language Server 1.69.0 or later is deployed across all developer workstations. In environments with restricted outbound connectivity, confirm the auto-update completed; push the update through internal software distribution if not. Audit recently cloned repositories for unexpected MCP configuration files. Restrict Amazon Q Developer MCP features to trusted, internal workspace contexts until update status is confirmed organisation-wide.
SourceWiz Research (26 June 2026); AWS security bulletin 2026-047-AWS; GitHub advisory GHSA-xhcr-j4j9-3gh7 (23 June 2026); The Register (26 June 2026).
AI defender tip: The four items in this issue share a structural pattern: AI tools with access to credentials or execution rights that extend implicit trust to their data inputs without explicit verification. A workflow platform trusts session authentication as sufficient for data access. A coding agent trusts Sentry MCP output as system instruction. An IDE extension trusts workspace configuration files as if they were local. None of these trust assumptions required a technical exploit to subvert — each required only an attacker reaching the trusted channel. Before deploying any AI component with access to credentials, cloud environments, or command execution, identify what it implicitly trusts and verify that each trust relationship is enforced by an explicit check — authentication, ownership verification, or human confirmation — rather than an architectural assumption.

Nirad Threat Research

Nirad AI Threat Watch | Bharat-first threat intelligence