ai-agent-security sentry-dsx mcp-injection credential-exposure code-execution

Injected errors turn AI agents into code executors

Attackers plant commands in Sentry error reports via publicly-exposed DSNs; agents execute them as trusted guidance through MCP, bypassing all standard security controls.

June 24, 2026

Summary

If your team routes Sentry issues to coding agents (Claude Code, Cursor, Codex), a single crafted error report can execute arbitrary code on developer machines with full access to credentials, CI/CD tokens, and cloud keys. This bypasses EDR, firewalls, and IAM because every step is authorized.

Why it matters

Implementation verdict

No patch exists yet—this is a fundamental model-layer flaw where agents cannot distinguish data from instructions. Immediate: audit Sentry DSN exposure in your codebase (Censys queries, GitHub searches). Rotate any exposed DSNs. Longer term: isolate AI agents in sandboxed runtimes with runtime controls that gate external command execution. Not safe to ignore if you use agent-based code fixing today.

Sources

1.a single fake error report can turn an AI coding agent into a code-execution engine on a developer's own machine
2.The agent cannot tell the data it reads from an instruction to act.
3.Claude Code, Cursor, and Codex all acted on the injected errors, and the team logged more than 100 confirmed executions across separate organizations
4.EDR, WAF, IAM, VPNs, and firewalls register nothing worth flagging
5.Tenet reported 2,388 organizations with injectable DSNs found through passive reconnaissance, of which 71 rank in the Tranco top-1M list of busiest sites
6.Ron Bobrov, a Tenet researcher, reported an 85% success rate across the controlled validation waves

Dev Signal

Get briefs like this in your inbox — free, every weekday.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs