Today by the numbers
The four criticals
Every critical item on today's board involves an AI agent, an MCP server, a RAG retrieval channel, or a model-serving proxy. That is no longer a coincidence.
CVE-2026-42208 — LiteLLM SQL injection (CISA KEV)
Authenticated SQL injection in the LiteLLM AI proxy, with in-the-wild exploitation reported. The proxy sits in the model-serving chain for many AI products, so a single compromised gateway can leak prompts, responses, and identity context across tenants.
Anthropic MCP by-design RCE
An architectural remote-code-execution issue in the official MCP SDK — not a single bug but a category. Vulnerability reports cite roughly 200,000 exposed instances and over 150 million downloads of affected components. Any enterprise that has plugged AI agents into MCP servers in the last six months should treat this as in-scope.
Microsoft class advisory — RCE in AI agent frameworks
Microsoft has issued a class-level advisory describing how retrieved content (RAG documents, web pages, attachments) can reach tool calls and bypass prompt-level guardrails — converting a routine retrieval into arbitrary code execution. The fix is not a single patch; it is rethinking where the trust boundary sits.
CVE-2026-26030 — Semantic Kernel RCE via tool-call hijack
A single adversarial document in a RAG corpus is enough to trigger arbitrary tool calls and code execution through Microsoft Semantic Kernel. This is the practical version of the class advisory above — a concrete CVE with a concrete fix path.
The pattern
Read the four criticals together and the shape of the day is clear. The serving proxy, the SDK, the framework, and the retrieval channel are each, in their own way, the same problem: untrusted content reaching a privileged action. The model is no longer the interesting attack surface — the model's tools are.
The high-severity items reinforce it. MCP tool hijacking (CVE-2026-26118), MCP tool-poisoning campaigns against enterprise allow-lists, RAG single-document knowledge-base poisoning, hidden prompt injection in GitHub Copilot pull requests (CVE-2025-53773) — all are variants of the same theme.
What to do this morning
- Inventory MCP servers and agent tools. If your org uses the Anthropic MCP SDK or Microsoft AI agent frameworks, treat exposure as default until proven otherwise.
- Patch the May 2026 Microsoft Patch Tuesday round in priority order — 30 critical CVEs, including the AI-relevant Azure ML Notebook and Azure AI Foundry items.
- Restrict tool-call permissions. Apply NIST 800-53 CM-7 (least functionality) and AC-6 (least privilege) to every agent-tool integration; assume RAG retrieval can carry injection.
- Watch CISA KEV. CVE-2026-42208 is on the catalog with active exploitation — federal teams have a fixed remediation deadline; private-sector teams should treat it the same.
Trend signal: indirect prompt injection up 32%
Google research published this morning reports a 32% surge in web-embedded indirect-prompt-injection payloads between November 2025 and February 2026. That is the tide behind today's specific advisories — payloads are getting more common, more sophisticated, and more often found in real, otherwise-legitimate web content.
On the criminal side, BlackFog and Securelist track Q1 2026 as the quarter where encryptionless extortion became the dominant ransomware mode — 1,138 publicly-claimed incidents, mostly data-theft and leak-site pressure rather than the older encrypt-and-demand model. The implication for AI: data exposed through a leaky agent or a mis-configured RAG is no longer just an incident, it is leverage.
The full picture
All 18 items SAI tracked today — with severity, framework mapping, and source — live on the Threat Radar. The shape of the threat surface this week is on one page.