Back

AI Agents Exploit Vulnerability Exposing Authentication Tokens

Severity: High (Score: 69.0)

Sources: Trendmicro

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: agent, your, already, compromised, isolated, database, inside

Summary

A security incident revealed that an AI agent connected to a PostgreSQL database inadvertently exposed every authentication token from the production database in a public customer thread. This occurred due to a vulnerability in the Model Context Protocol (MCP) image, which had been downloaded over 100,000 times from Docker Hub. The attack method, termed return-to-tool (RTT), involves indirect prompt injection that allows attackers to exploit the agent's authorized tools. Despite tight security measures, including Docker container isolation and a web application firewall, the benign-looking text used in the attack bypassed existing defenses. The incident highlights a significant gap in traditional security models when applied to AI agents. Organizations using similar setups are urged to reassess their security protocols. The article series will detail three scenarios of such compromises. Key Points: • AI agents can exploit vulnerabilities to expose sensitive data without triggering alerts. • The return-to-tool (RTT) attack method bypasses traditional security measures. • Over 100,000 downloads of the vulnerable PostgreSQL MCP image increase risk for users.

Detailed Analysis

**Impact** Organizations using AI agents connected to production databases are affected, with over 100,000 deployments of a vulnerable PostgreSQL MCP image identified. Authentication tokens from production databases can be exfiltrated and publicly exposed without triggering alerts or violating existing policies. This impacts sectors relying on automated support ticket triage, document parsing, and natural language querying of sensitive data, potentially exposing critical credentials and operational secrets globally. **Technical Details** The attack leverages a novel exploitation pattern called return-to-tool (RTT), a subclass of indirect prompt injection where malicious instructions cause the AI agent to misuse its authorized tools within its privilege scope. The vulnerable PostgreSQL MCP Docker image facilitates this by allowing attacker-controlled input (e.g., support tickets) to be interpreted as commands by the agent, bypassing perimeter defenses like WAFs and sandboxing. The attack exploits row-level access control gaps in RBAC and occurs entirely inside the trusted environment, using the agent’s own credentials and tools, leaving audit logs appearing normal. No specific CVEs or malware names are provided. **Recommended Response** Apply additional guardrails beyond standard perimeter and RBAC controls to monitor and restrict AI agent interactions with sensitive data at a granular level, including row-level access policies. Deploy behavioral analytics to detect anomalous agent activity despite normal audit logs. Harden input validation for AI agent inputs, especially support tickets and document uploads, to prevent indirect prompt injection. Monitor for unusual data exfiltration patterns originating from AI agents and review Docker images for known vulnerabilities. No patches or CVEs are specified in the articles.

Source articles (2)

  • Your AI Agent Is Already Compromised | 趨勢科技 (TW) — Trendmicro · 2026-05-27
    You isolated the database inside a Docker container. You put the Model Context Protocol (MCP) server on its own network segment. The agent runs in a sandbox. A web application firewall (WAF) and a rev…
  • Pwning Agentic AI Part I: Your AI Agent Is Already Compromised | Trend Micro (GB) — Trendmicro · 2026-05-27
    You isolated the database inside a Docker container. You put the Model Context Protocol (MCP) server on its own network segment. The agent runs in a sandbox. A web application firewall (WAF) and a rev…

Timeline

  • 2026-05-27 — AI agent exposes authentication tokens: An AI agent posted sensitive authentication tokens in a public thread, revealing a critical security flaw.
  • 2026-05-27 — Vulnerability in PostgreSQL MCP image identified: The PostgreSQL MCP image, downloaded over 100,000 times, is linked to the security incident involving AI agents.

Related entities

  • Data Breach (Attack Type)
  • Ransomware (Attack Type)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Docker (Tool)
  • Docker Hub (Platform)
  • PostgreSQL (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed