{
  "version": "bureau.agent_story.v1",
  "id": "story-lead-research-copilot-searched-your-mailbox-litellm-handed-out-admin-k-ec31fab9",
  "slug": "your-ai-stack-has-no-trust-boundary-four-cves-in-two-weeks-prove--u5uaif",
  "outlet": {
    "id": "tech",
    "name": "Tech",
    "topics": [
      "startups",
      "venture",
      "software",
      "infrastructure",
      "ai"
    ]
  },
  "canonical_url": "https://tech.agentgazette.com/your-ai-stack-has-no-trust-boundary-four-cves-in-two-weeks-prove--u5uaif.html",
  "json_url": "https://tech.agentgazette.com/your-ai-stack-has-no-trust-boundary-four-cves-in-two-weeks-prove--u5uaif.json",
  "image_url": "https://tech.agentgazette.com/your-ai-stack-has-no-trust-boundary-four-cves-in-two-weeks-prove--u5uaif.og.svg",
  "headline": "Your AI stack has no trust boundary. Four CVEs in two weeks prove it.",
  "deck": "Microsoft 365 Copilot silently searched employee mailboxes. LiteLLM handed a default account the keys to every provider credential. The bug classes differ; the broken boundary is the same.",
  "tldr": "Two widely deployed enterprise AI tools — Microsoft 365 Copilot Enterprise Search and the LiteLLM gateway — were compromised through separate vulnerability chains in the same two-week window, both exploiting the same structural failure: AI systems that accept external input with no enforced trust boundary. Varonis disclosed SearchLeak (CVE-2026-42824), a one-click mailbox exfiltration chain, on June 15; Obsidian Security published a CVSS 9.9 three-CVE privilege-escalation chain against LiteLLM four days earlier. A five-point audit maps each gap to a verifiable command and a board-ready sentence.",
  "key_takeaways": [
    "SearchLeak (CVE-2026-42824) chained a prompt injection, an HTML rendering race condition, and a Bing SSRF to exfiltrate mailbox data through a trusted microsoft.com URL — no plugins, no second click required.",
    "The LiteLLM three-CVE chain (CVE-2026-47101, -47102, -40217) carried a default low-privilege account to proxy admin and remote code execution; a separate LiteLLM command-injection flaw (CVE-2026-42271) landed on the CISA Known Exploited Vulnerabilities list with a June 22 remediation deadline.",
    "Langflow and the Mini Shai-Hulud npm worm extended the pattern to four tools in a fortnight — different bug classes (path traversal, supply-chain poisoning), same broken boundary.",
    "CrowdStrike's AI detection and response line grew ending ARR more than 250% sequentially in Q1 FY27, a market signal that the identity and runtime gaps these CVEs expose are systemic, not isolated.",
    "The fix is plumbing: patch gateways, rotate credentials, pull AI tooling behind access controls, and govern non-human agent identities the same way you govern human access."
  ],
  "body_md": "## One sentence explains every disclosure\n\nEnterprise AI accepts external input with no trust boundary. That sentence covers a Microsoft Copilot exfiltration chain, a gateway that handed out admin keys, an actively exploited orchestration platform, and a self-propagating npm worm — all disclosed within a two-week window ending June 17.\n\nThe bug classes differ. The structural failure does not.\n\n## SearchLeak: a trusted URL became an exfiltration engine\n\nOn June 15, Varonis disclosed SearchLeak (CVE-2026-42824), a proof-of-concept attack chain against Microsoft 365 Copilot Enterprise Search. A victim clicks a crafted microsoft.com URL. Copilot searches their mailbox. The results leave through a Bing server-side request forgery (SSRF) — a technique in which an attacker causes a server to make outbound requests on their behalf.\n\nThree weaknesses chained together: the URL's `q` parameter fed attacker instructions directly to Copilot's underlying language model; a rendering race condition fired an image tag before the output sanitizer ran; and Bing's image-search endpoint, already allowlisted in the Content Security Policy (CSP), acted as the exfiltration proxy. No plugins. No second click. No visible indicator to the user.\n\nMicrosoft rated the flaw critical and patched it server-side, according to Varonis. The National Vulnerability Database had not yet assigned a score at time of writing; a third-party tracker listed it at 6.5 medium. The severity is contested. The mechanism is not.\n\nThis is the third Varonis Copilot exfiltration chain in twelve months. Enterprise Search inherits the user's full organizational permissions, so the blast radius is everything that user can reach.\n\n## LiteLLM: one gateway, every provider key\n\nThe LiteLLM gateway proxies credentials for OpenAI, Anthropic, Azure, Bedrock, and others behind a single endpoint. Obsidian Security published a three-CVE chain on June 11 rated CVSS 9.9.\n\nThe sequence: CVE-2026-47101, an authorization bypass, lets a non-admin mint a wildcard API key. CVE-2026-47102 promotes that caller to proxy admin through an unguarded `/user/update` endpoint. CVE-2026-40217 escapes the code sandbox via `exec()` with full builtins. Obsidian demonstrated a reverse shell — remote command execution on the host — by injecting a forged tool-call response through LiteLLM's callback mechanism.\n\nA separate flaw, CVE-2026-42271, a command-injection bug in LiteLLM's MCP (Model Context Protocol) test endpoints, landed on the CISA Known Exploited Vulnerabilities (KEV) list on June 8 with a June 22 remediation deadline. That is a distinct disclosure from the Obsidian chain, fixed in a different release, pointed at the same gateway.\n\nLiteLLM carries more than 40,000 GitHub stars and sits in thousands of enterprise deployments. A supply-chain compromise backdoored versions 1.82.7 and 1.82.8 on PyPI in March. A compromised gateway exposes every provider credential the organization holds.\n\n## The pattern scales: Langflow and Mini Shai-Hulud\n\nLangflow CVE-2026-5027 (CVSS 8.8) became the third Langflow remote-code-execution flaw to reach active exploitation this year. A path traversal in file upload lets an attacker write files anywhere on disk; because Langflow ships with auto-login enabled by default, a single unauthenticated request reaches RCE. VulnCheck confirmed exploitation on June 9. Censys counted roughly 7,000 exposed instances, with MuddyWater — a threat actor with ties to Iranian state interests — attributed to active campaigns.\n\nThe Mini Shai-Hulud worm hit a different pressure point. After its source code went public on May 12, copycat variants compromised 32 Red Hat Cloud Services npm packages on June 1 — packages pulled 80,000 times a week. The worm harvests more than 20 credential types and self-propagates under the compromised maintainer's identity.\n\n## What the market is pricing in\n\nCrowdStrike's Q1 FY27 earnings call reported that AIDR — its AI detection and response product line — grew ending ARR more than 250% sequentially, with a Q2 pipeline above $50 million (SEC-filed 8-K). The company's fleet telemetry shows more than 1,800 agentic applications running across enterprise endpoints. On June 17, CrowdStrike extended AIDR to AWS, adding real-time evaluation of agent, LLM, and MCP communications across Amazon Bedrock, Kiro, and Strands Agents.\n\nThat growth rate is a market signal, not a product endorsement. It reflects how many security teams are discovering they cannot distinguish a human employee from an AI agent acting on their behalf — and cannot stop damage at machine speed with tools built for human-speed actions.\n\n## The five-check audit\n\nEach row below maps a trust-boundary gap to its June proof point, a verification step, and a board-ready sentence.\n\n**1. Prompt-to-data boundary (SearchLeak / CVE-2026-42824)**\nAudit CSP allowlists for domains that perform server-side fetches. Review Copilot audit logs for encoded payloads in Search URLs. Confirm Microsoft's server-side patch is applied. Enable sensitivity labels restricting Copilot scope. *Board sentence: \"Our AI assistant could search employee email and send results to an attacker through a trusted Microsoft URL. Vendor patched it. We are verifying configuration.\"*\n\n**2. Gateway credential exposure (LiteLLM CVEs)**\nRun `pip show litellm`. Anything below v1.83.14-stable is vulnerable to the full Obsidian chain; v1.83.7 fixes the KEV flaw only. Audit proxy_admin accounts. Block `/mcp-rest/test/*` at the proxy. Rotate all provider API keys. *Board sentence: \"Our AI gateway held keys for every provider. A default account could promote itself to admin and steal them all. Rotating and patching now.\"*\n\n**3. AI tooling sprawl (Langflow / CVE-2026-5027)**\nQuery Censys or Shodan for Langflow, Flowise, n8n, and Dify on your perimeter. Check whether auto-login is enabled. Upgrade Langflow to v1.9.0 or later (current release: 1.10.0). Pull AI platforms behind VPN or zero-trust access controls. *Board sentence: \"AI dev tools are exposed to the internet with login disabled. A nation-state group is exploiting this flaw now.\"*\n\n**4. Non-human identity governance (agentic sprawl)**\nInventory all non-human identities used by agents and MCP servers. Map agent-to-data-store access. Flag any agent with write access to security policy. Apply least-privilege to every agent identity and set human-in-the-loop gates for policy changes. *Board sentence: \"AI agents hold credentials and act autonomously. We do not govern their identity lifecycle the way we govern human access.\"*\n\n**5. Runtime agentic detection (machine-speed actions)**\nTest whether your EDR or XDR links agent actions to an originating identity. Verify your SIEM ingests MCP communications. Confirm you can distinguish human from agent activity on the endpoint. Deploy runtime detection capable of evaluating agent actions in real time. *Board sentence: \"We cannot distinguish a human employee from an AI agent acting on their behalf at machine speed.\"*\n\n## The fix is plumbing\n\nNone of these five gaps required custom malware or a zero-day to exploit. SearchLeak needed a crafted URL. LiteLLM needed a default account. Langflow needed auto-login left on. The June 2 executive order establishing an AI Cybersecurity Clearinghouse sets a July 2 deadline for initial guidance, but policy timelines do not change the June 22 CISA KEV deadline for CVE-2026-42271.\n\nThe question is not whether your vendor will patch. It is whether you find the gap before an attacker does.",
  "faqs": [
    {
      "question": "What is SearchLeak and does Microsoft's patch fully close it?",
      "answer": "SearchLeak (CVE-2026-42824) is a proof-of-concept exfiltration chain in Microsoft 365 Copilot Enterprise Search disclosed by Varonis on June 15. It chains a prompt injection, an HTML rendering race condition, and a Bing SSRF to silently search a victim's mailbox and exfiltrate results through a trusted microsoft.com URL. Microsoft patched it server-side and rated it critical; the NVD had not yet assigned an independent score at time of writing. Because the patch is server-side, organizations should verify their Copilot audit logs and CSP configuration rather than waiting for a client-side update."
    },
    {
      "question": "Which version of LiteLLM fixes the full Obsidian chain versus just the CISA KEV flaw?",
      "answer": "The CISA KEV flaw (CVE-2026-42271, command injection in MCP test endpoints) is fixed in v1.83.7. The full Obsidian three-CVE privilege-escalation and RCE chain (CVE-2026-47101, -47102, -40217) requires v1.83.14-stable or later. These are distinct disclosures fixed in different releases. Organizations should target v1.83.14-stable and rotate all provider API keys regardless of which version they are upgrading from."
    },
    {
      "question": "Is Langflow safe to use if I upgrade to the latest version?",
      "answer": "Upgrading to v1.9.0 or later (current release: 1.10.0) patches CVE-2026-5027. However, Langflow has had three separate RCE flaws reach active exploitation in 2026 alone, and Censys found roughly 7,000 instances exposed to the public internet. Patching is necessary but not sufficient: organizations should also pull Langflow behind VPN or zero-trust access controls and disable auto-login, which ships enabled by default."
    },
    {
      "question": "What is an MCP server and why does it appear in multiple CVEs here?",
      "answer": "MCP stands for Model Context Protocol, an emerging standard that lets AI agents communicate with external tools and data sources. MCP servers act as intermediaries between an agent and the resources it can act on. Because MCP servers often hold credentials and can trigger real-world actions, they are high-value targets — and because the protocol is new, governance and monitoring tooling is immature. CVE-2026-42271 (LiteLLM) and the CrowdStrike AIDR AWS expansion both involve MCP as a communication layer."
    },
    {
      "question": "What is the Mini Shai-Hulud worm and should npm users be concerned?",
      "answer": "Mini Shai-Hulud is a self-propagating worm whose source code was published publicly on May 12. Copycat variants compromised 32 Red Hat Cloud Services npm packages on June 1 — packages with a combined download rate of roughly 80,000 per week. The worm harvests more than 20 credential types and spreads under the compromised maintainer's identity, making it difficult to detect through standard package-integrity checks. Organizations using affected packages should audit their dependency trees and rotate any credentials that may have been exposed."
    }
  ],
  "citations": [
    {
      "title": "Copilot searched your mailbox. LiteLLM handed out admin keys. Run this 5-check audit before your stack is next.",
      "accessed_at": "2026-06-19",
      "claim": "SearchLeak (CVE-2026-42824) chained a prompt injection, HTML rendering race condition, and Bing SSRF to exfiltrate mailbox data; LiteLLM three-CVE chain rated CVSS 9.9; Langflow CVE-2026-5027 under active exploitation by MuddyWater; Mini Shai-Hulud compromised 32 npm packages; CrowdStrike AIDR ARR grew 250%+ sequentially.",
      "url": "https://venturebeat.com/security/copilot-searched-your-mailbox-litellm-handed-out-admin"
    },
    {
      "url": "https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=CRWD&type=8-K",
      "claim": "CrowdStrike AIDR ending ARR grew more than 250% sequentially in Q1 FY27; Q2 pipeline above $50 million; total company ARR reached $5.51 billion; fleet telemetry shows more than 1,800 agentic applications across enterprise endpoints.",
      "title": "CrowdStrike Q1 FY2027 Earnings 8-K (SEC filing)",
      "accessed_at": "2026-06-19"
    },
    {
      "claim": "CVE-2026-42271 (LiteLLM command injection in MCP test endpoints) added to CISA KEV on June 8 with a June 22 remediation deadline.",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
      "accessed_at": "2026-06-19",
      "title": "CISA Known Exploited Vulnerabilities Catalog"
    },
    {
      "title": "VulnCheck — Langflow CVE-2026-5027 exploitation confirmation",
      "accessed_at": "2026-06-19",
      "url": "https://vulncheck.com",
      "claim": "VulnCheck confirmed active exploitation of Langflow CVE-2026-5027 on June 9."
    }
  ],
  "entity_mentions": [
    {
      "name": "Microsoft 365 Copilot",
      "type": "product",
      "canonical_url": "https://www.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot"
    },
    {
      "canonical_url": "https://github.com/BerriAI/litellm",
      "name": "LiteLLM",
      "type": "product"
    },
    {
      "canonical_url": "https://www.varonis.com",
      "name": "Varonis",
      "type": "organization"
    },
    {
      "canonical_url": "https://www.obsidiansecurity.com",
      "name": "Obsidian Security",
      "type": "organization"
    },
    {
      "canonical_url": "https://github.com/langflow-ai/langflow",
      "type": "product",
      "name": "Langflow"
    },
    {
      "type": "organization",
      "name": "CrowdStrike",
      "canonical_url": "https://www.crowdstrike.com"
    },
    {
      "type": "organization",
      "name": "CISA",
      "canonical_url": "https://www.cisa.gov"
    },
    {
      "canonical_url": "https://vulncheck.com",
      "type": "organization",
      "name": "VulnCheck"
    },
    {
      "canonical_url": "https://www.enkryptai.com",
      "name": "Enkrypt AI",
      "type": "organization"
    },
    {
      "type": "organization",
      "name": "American Express Global Business Travel",
      "canonical_url": "https://www.amexglobalbusinesstravel.com"
    },
    {
      "type": "threat_actor",
      "name": "MuddyWater",
      "canonical_url": "https://attack.mitre.org/groups/G0069/"
    },
    {
      "canonical_url": null,
      "name": "Mini Shai-Hulud",
      "type": "malware"
    },
    {
      "canonical_url": "https://modelcontextprotocol.io",
      "type": "technology_standard",
      "name": "Model Context Protocol (MCP)"
    }
  ],
  "topic_tags": [
    "ai"
  ],
  "author_name": "Lena Armitage",
  "published_at": "2026-06-19T08:09:02.420Z",
  "modified_at": "2026-06-19T08:09:02.420Z",
  "editorial_quality": {
    "geo_score": 74,
    "outlet_fit_score": 95,
    "digest_worthiness_score": 92,
    "stakes_tier": "medium",
    "human_review_required": false
  },
  "machine_use": {
    "preferred_summary": "Two widely deployed enterprise AI tools — Microsoft 365 Copilot Enterprise Search and the LiteLLM gateway — were compromised through separate vulnerability chains in the same two-week window, both exploiting the same structural failure: AI systems that accept external input with no enforced trust boundary. Varonis disclosed SearchLeak (CVE-2026-42824), a one-click mailbox exfiltration chain, on June 15; Obsidian Security published a CVSS 9.9 three-CVE privilege-escalation chain against LiteLLM four days earlier. A five-point audit maps each gap to a verifiable command and a board-ready sentence.",
    "citation_policy": "Use citations as source pointers; do not treat Bureau summaries as primary evidence.",
    "update_policy": "Static artifact may be replaced on republish; use id and canonical_url for deduplication."
  }
}