One sentence explains every disclosure

Enterprise AI accepts external input with no trust boundary. That sentence covers a Microsoft Copilot exfiltration chain, a gateway that handed out admin keys, an actively exploited orchestration platform, and a self-propagating npm worm — all disclosed within a two-week window ending June 17.

The bug classes differ. The structural failure does not.

SearchLeak: a trusted URL became an exfiltration engine

On June 15, Varonis disclosed SearchLeak (CVE-2026-42824), a proof-of-concept attack chain against Microsoft 365 Copilot Enterprise Search. A victim clicks a crafted microsoft.com URL. Copilot searches their mailbox. The results leave through a Bing server-side request forgery (SSRF) — a technique in which an attacker causes a server to make outbound requests on their behalf.

Three weaknesses chained together: the URL's `q` parameter fed attacker instructions directly to Copilot's underlying language model; a rendering race condition fired an image tag before the output sanitizer ran; and Bing's image-search endpoint, already allowlisted in the Content Security Policy (CSP), acted as the exfiltration proxy. No plugins. No second click. No visible indicator to the user.

Microsoft rated the flaw critical and patched it server-side, according to Varonis. The National Vulnerability Database had not yet assigned a score at time of writing; a third-party tracker listed it at 6.5 medium. The severity is contested. The mechanism is not.

This is the third Varonis Copilot exfiltration chain in twelve months. Enterprise Search inherits the user's full organizational permissions, so the blast radius is everything that user can reach.

LiteLLM: one gateway, every provider key

The LiteLLM gateway proxies credentials for OpenAI, Anthropic, Azure, Bedrock, and others behind a single endpoint. Obsidian Security published a three-CVE chain on June 11 rated CVSS 9.9.

The sequence: CVE-2026-47101, an authorization bypass, lets a non-admin mint a wildcard API key. CVE-2026-47102 promotes that caller to proxy admin through an unguarded `/user/update` endpoint. CVE-2026-40217 escapes the code sandbox via `exec()` with full builtins. Obsidian demonstrated a reverse shell — remote command execution on the host — by injecting a forged tool-call response through LiteLLM's callback mechanism.

A separate flaw, CVE-2026-42271, a command-injection bug in LiteLLM's MCP (Model Context Protocol) test endpoints, landed on the CISA Known Exploited Vulnerabilities (KEV) list on June 8 with a June 22 remediation deadline. That is a distinct disclosure from the Obsidian chain, fixed in a different release, pointed at the same gateway.

LiteLLM carries more than 40,000 GitHub stars and sits in thousands of enterprise deployments. A supply-chain compromise backdoored versions 1.82.7 and 1.82.8 on PyPI in March. A compromised gateway exposes every provider credential the organization holds.

The pattern scales: Langflow and Mini Shai-Hulud

Langflow CVE-2026-5027 (CVSS 8.8) became the third Langflow remote-code-execution flaw to reach active exploitation this year. A path traversal in file upload lets an attacker write files anywhere on disk; because Langflow ships with auto-login enabled by default, a single unauthenticated request reaches RCE. VulnCheck confirmed exploitation on June 9. Censys counted roughly 7,000 exposed instances, with MuddyWater — a threat actor with ties to Iranian state interests — attributed to active campaigns.

The Mini Shai-Hulud worm hit a different pressure point. After its source code went public on May 12, copycat variants compromised 32 Red Hat Cloud Services npm packages on June 1 — packages pulled 80,000 times a week. The worm harvests more than 20 credential types and self-propagates under the compromised maintainer's identity.

What the market is pricing in

CrowdStrike's Q1 FY27 earnings call reported that AIDR — its AI detection and response product line — grew ending ARR more than 250% sequentially, with a Q2 pipeline above $50 million (SEC-filed 8-K). The company's fleet telemetry shows more than 1,800 agentic applications running across enterprise endpoints. On June 17, CrowdStrike extended AIDR to AWS, adding real-time evaluation of agent, LLM, and MCP communications across Amazon Bedrock, Kiro, and Strands Agents.

That growth rate is a market signal, not a product endorsement. It reflects how many security teams are discovering they cannot distinguish a human employee from an AI agent acting on their behalf — and cannot stop damage at machine speed with tools built for human-speed actions.

The five-check audit

Each row below maps a trust-boundary gap to its June proof point, a verification step, and a board-ready sentence.

**1. Prompt-to-data boundary (SearchLeak / CVE-2026-42824)** Audit CSP allowlists for domains that perform server-side fetches. Review Copilot audit logs for encoded payloads in Search URLs. Confirm Microsoft's server-side patch is applied. Enable sensitivity labels restricting Copilot scope. *Board sentence: "Our AI assistant could search employee email and send results to an attacker through a trusted Microsoft URL. Vendor patched it. We are verifying configuration."*

**2. Gateway credential exposure (LiteLLM CVEs)** Run `pip show litellm`. Anything below v1.83.14-stable is vulnerable to the full Obsidian chain; v1.83.7 fixes the KEV flaw only. Audit proxy_admin accounts. Block `/mcp-rest/test/*` at the proxy. Rotate all provider API keys. *Board sentence: "Our AI gateway held keys for every provider. A default account could promote itself to admin and steal them all. Rotating and patching now."*

**3. AI tooling sprawl (Langflow / CVE-2026-5027)** Query Censys or Shodan for Langflow, Flowise, n8n, and Dify on your perimeter. Check whether auto-login is enabled. Upgrade Langflow to v1.9.0 or later (current release: 1.10.0). Pull AI platforms behind VPN or zero-trust access controls. *Board sentence: "AI dev tools are exposed to the internet with login disabled. A nation-state group is exploiting this flaw now."*

**4. Non-human identity governance (agentic sprawl)** Inventory all non-human identities used by agents and MCP servers. Map agent-to-data-store access. Flag any agent with write access to security policy. Apply least-privilege to every agent identity and set human-in-the-loop gates for policy changes. *Board sentence: "AI agents hold credentials and act autonomously. We do not govern their identity lifecycle the way we govern human access."*

**5. Runtime agentic detection (machine-speed actions)** Test whether your EDR or XDR links agent actions to an originating identity. Verify your SIEM ingests MCP communications. Confirm you can distinguish human from agent activity on the endpoint. Deploy runtime detection capable of evaluating agent actions in real time. *Board sentence: "We cannot distinguish a human employee from an AI agent acting on their behalf at machine speed."*

The fix is plumbing

None of these five gaps required custom malware or a zero-day to exploit. SearchLeak needed a crafted URL. LiteLLM needed a default account. Langflow needed auto-login left on. The June 2 executive order establishing an AI Cybersecurity Clearinghouse sets a July 2 deadline for initial guidance, but policy timelines do not change the June 22 CISA KEV deadline for CVE-2026-42271.

The question is not whether your vendor will patch. It is whether you find the gap before an attacker does.