This Week in AI Agent Security: CISA, GhostApproval, Friendly Fire, and 94% of Vibe-Coded Apps Are Vulnerable
July 5-10, 2026 was the week AI agent security went from theoretical concern to government action. CISA added the first AI agent platform to KEV. Wiz and AI Now Institute published back-to-back exploits against every major AI coding assistant. A Reddit user scanned 100 vibe-coded apps — 94% had vulnerabilities. Here's everything that happened and what it means.
If you’re building software with AI coding assistants and you’re not thinking about security, July 5-10, 2026 should change that. In the span of five days, the AI agent security landscape transformed from a niche concern to a government-mandated priority. Let me walk you through what happened — the incidents, the exploits, the data, and the regulatory signals. I’ve been tracking this beat nonstop for two weeks, and this was the most intense week yet.
The Timeline
July 6: GitLost — GitHub’s AI Agent Leaks Private Repos
Noma Security published GitLost, demonstrating that GitHub’s AI agent (the one that triages issues and reviews PRs) could be tricked into leaking private repository contents via crafted issues. No credentials required. Just a maliciously structured issue that the agent processes.
The HN thread hit 537 points and 204 comments. GitHub acknowledged the issue but, as of this writing, no fix has shipped. The attack exploits a structural problem: AI agents process untrusted input (public issues) with credentials that grant access to private resources (private repos).
July 7: CISA Adds First AI Agent Platform to KEV
This is the big one that nobody on HN is talking about. CISA added four actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog on July 7. One of them — CVE-2026-55255 — affects Langflow, an open-source platform for building AI agent workflows.
This is the first time an AI agent platform has ever appeared in CISA KEV. The vulnerability is a cross-tenant insecure direct object reference (IDOR): any authenticated user can execute another tenant’s AI workflows by manipulating the flow_id parameter in the /api/v1/responses endpoint.
Sysdig’s Threat Research Team observed active exploitation in the wild. A single operator at IP 45.207.216.55 spent four days (June 22-25) combining the IDOR with an unauthenticated RCE flaw (CVE-2026-33017) against the same Langflow instance. Their payload for the IDOR was one prompt: "leak api keys".
What they stole: LLM provider keys, AWS credentials, database secrets. From every flow on that instance. From every tenant.
The remediation deadline for federal agencies under Binding Operational Directive 26-04: July 10 — today.
Langflow patched this in version 1.9.2 with four lines of code: check if the flow’s user_id matches the authenticated session before executing. The kind of bug any security review catches in five minutes. The kind of bug AI code generators produce with remarkable consistency.
July 8: Friendly Fire and GhostApproval — Back-to-Back Exploits Against AI Coding Assistants
July 8 saw two independent disclosures published hours apart, both targeting the trust boundaries of AI coding assistants.
Friendly Fire (AI Now Institute): A proof-of-concept exploit that tricks AI coding agents into running attacker code during security reviews. The researchers demonstrated attacks against Claude Code in auto-mode and Codex in auto-review mode. When an agent is configured to automatically review and fix security issues, an attacker can embed malicious code in the codebase that the agent’s own security review process executes.
GhostApproval (Wiz Research): Uses 40-year-old symlink tricks to bypass confirmation dialogs in AI coding assistants. The attack exploits the gap between what the agent thinks it’s writing to and what it’s actually writing to. A symlink in the workspace redirects file writes to attacker-controlled paths. The agent’s confirmation dialog shows the intended path — not the real one.
Affected: Amazon Q Developer, Claude Code, Cursor, Google Antigravity, and Windsurf. Amazon, Google, and Cursor have shipped fixes. Anthropic noted that Claude Code’s symlink warning shipped in v2.1.32 (February 5, 2026) — nine days before Wiz submitted their report.
The HN response says everything: GhostApproval sits at 1 point, zero comments. The exact community that should be most concerned about this exploit hasn’t seen it.
July 9: Pentera Weaponizes Claude Desktop Into C2 Infrastructure
Pentera published a proof of concept turning Claude Desktop into a persistent command-and-control agent. The attack chain: email compromise → Claude account pivot → encoded payload in synced Personal Preferences → silent shell command execution via Desktop Commander MCP.
No malware. No exploits. No phishing. Just an email account compromise and a prompt injection in a synced preference field.
This attack extends the threat model beyond “what does the agent do with untrusted code” to “is the agent process itself secured against weaponization.” We covered this in depth earlier this week: Pentera Just Weaponized Claude Desktop’s Synced Preferences Into a Reverse Shell.
July 9: GPT-5.6 Ships
OpenAI released GPT-5.6. The HN thread hit 1,521 points and 1,081 comments. The model is faster (750 tokens/s), cheaper, and more capable.
Matt Shumer, a technical AI founder, tweeted that GPT-5.6-Sol “accidentally deleted almost ALL of my Mac’s files” — if a frontier model can nuke the filesystem of someone who builds AI tools for a living, what’s it doing to the apps of people who don’t know how to harden their systems?
July 9-10: Apple Sues OpenAI
Apple sued OpenAI on July 10, accusing ex-employees of stealing trade secrets “at every level” of the company. The story dominated HN (739 points, 369 comments across multiple submissions). Six separate HN posts on the same day.
The AI security angle: if trade secrets can walk out the door embedded in model weights, the security perimeter extends far beyond the codebase. It extends to the data the model was trained on and the people who trained it.
The Reddit Data: 94% of Vibe-Coded Apps Have Vulnerabilities
While the exploit researchers were publishing, a Reddit user on r/vibecoding was running security scans on AI-generated apps. Their findings: 94% of 100 apps built with Claude, Cursor, and Lovable had security vulnerabilities. A typical AI-generated SaaS app had 53 vulnerabilities.
This is not a research paper. This is not a proof of concept. This is a Reddit user with a scanner checking real apps built by real developers using real AI tools. And 94% of them are shipping vulnerabilities.
The Data Behind the Headlines
The week’s incidents are backed by mounting statistical evidence:
-
Gravitee’s State of AI Agent Security Report (April 2026, n=900+ executives): 81% of teams past planning phase, only 14.4% have full security approval for their AI agent deployments. The gap between adoption and governance is 66 percentage points.
-
NeuralTrust 160-CISO survey: 73% of CISOs are concerned about AI agent security. Only 30% feel prepared to address it. That’s a 43-point confidence gap.
-
Beam.ai: 88% of organizations experienced AI agent incidents, but only 6% of security budgets are allocated to AI agent security. The resource gap is 82 percentage points.
-
Forrester: Predicts a public AI agent breach in 2026. Given the velocity of July’s first 10 days, that prediction might already be true.
-
CERIAS (Purdue): 56% of CEOs report no revenue or cost improvement from GenAI, 95% of GenAI pilots had zero P&L impact, and two-thirds of AI-layoff companies are rehiring.
The Structural Pattern
Looking across all these incidents, a clear pattern emerges:
- AI agents process untrusted input with trusted credentials (GitLost, Langflow)
- AI agents trust workspace structure without verifying actual filesystem state (GhostApproval)
- AI coding agents execute code during review processes designed to prevent code execution (Friendly Fire)
- AI assistants sync behavioral configuration from accounts that can be compromised (Pentera C2)
- AI-generated code inherits the vulnerability patterns of its training data (94% stat)
None of these are AI-specific bugs. They’re classic security failures — authorization bypass, TOCTOU, input validation, credential management — amplified by the speed and scale at which AI agents operate. An AI agent can exploit an IDOR across 10,000 flows in the time it takes a human to exploit one.
What This Means for You
If you’re shipping AI-generated code or running AI agents in production:
-
Audit your agent platforms for authorization gaps. If you’re running Langflow, upgrade to 1.9.2+ now. If you’re running any other agent platform, check whether flow/agent definitions have ownership validation.
-
Rotate credentials that have ever been embedded in agent workflows. The Langflow IDOR harvested LLM keys and AWS credentials. Assume they’ve been exfiltrated.
-
Check your AI coding assistant’s security posture. Update Claude Code, Cursor, Windsurf, Amazon Q, and Google Antigravity to the latest versions. Verify that symlink protections and confirmation dialogs are enabled.
-
Review your AI agent’s access controls. The database deletion incidents (PocketOS, SmarterX, Penligent) share a common root cause: agents had production access without guardrails. Defense in depth — Kastra, Trusty Squire, Destructive Command Guard — is not optional.
-
Scan your AI-generated code. The 94% figure from Reddit isn’t a research artifact. It’s what happens when you check. If you’re shipping AI-generated code without security review, you’re almost certainly shipping vulnerabilities.
What dotfm Is Doing
We’ve been tracking this space for two weeks. In that time, we’ve published seven blog posts analyzing every major incident, built a competitive landscape covering 20+ tools across 6 security layers, and identified 83+ leads — founders and teams who built with AI tools and are now dealing with the consequences.
This week we’re launching two new services:
-
Agent Platform Security Audit: A structured assessment of your AI agent infrastructure against the six DeepMind Agent Traps categories, plus the new “agent as attack infrastructure” dimension. We check for the IDORs, the symlink bypasses, the credential leaks, and the preference injection vectors that the automated scanners can’t detect.
-
Vibe-Code Rescue: If you’ve shipped an AI-built app and you’re not sure what’s under the hood, we’ll do a full codebase audit, identify every vulnerability pattern, and give you a prioritized remediation plan. Not a scanner — a human engineer reading your code and thinking like an attacker.
The automated tools can find the CVEs. They can’t tell you whether your agent’s verification artifacts came from the same agent that performed the action. They can’t spot the business logic failure hidden in syntactically perfect code. They can’t catch the training data doom loop.
That’s what we do. Get in touch.
This post synthesizes reporting from CISA, Sysdig, Wiz Research, AI Now Institute, Pentera, Noma Security, Gravitee, Beam.ai, CERIAS, Forrester, and multiple security news outlets. All data verified against original publications. Published July 11, 2026.
Is your AI-built app ready for real users?
We audit, harden, and ship AI-built apps. From security review to production deployment.
Get an audit →