CVE / AI Security2026-05-29

CVE-2026-39987: An AI Agent Got Root on a Database

An LLM agent with notebook access exploited a misconfigured database in under an hour. No human attacker involved, just an agent doing what it was told.

My take

Everyone's rushing to give AI agents access to production systems. Nobody's asking what happens when the agent finds a misconfiguration and exploits it, not maliciously, just because the prompt said 'get the data.' The agent didn't hack anything. It used the access it was given. This is the security model problem nobody wants to talk about.

Terminal

~/security/notes

# what the agent was given
$ cat agent-config.yaml
tools:
  - jupyter_notebook
  - database_query
permissions: read_write
scope: unrestricted
# what the agent did with it
$ grep -i 'GRANT\|ALTER\|DROP' agent-query-log.sql | head -3
GRANT ALL PRIVILEGES ON *.* TO 'agent'@'%';
ALTER USER 'root'@'localhost' IDENTIFIED BY 'agent_controlled';
# the agent escalated its own privileges
# because nothing in the config said it couldn't

Takeaway

If your AI agent has write access to a database with no guardrails, you don't have an AI problem. You have an access control problem. Least privilege isn't optional just because the user is a model.

← All Notes Discuss