CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Cross-application permission chaining risk exposed via AI agents and MCP connectors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

On January 31, 2026, researchers disclosed an exposed database in Moltbook, a social network for AI agents, which leaked 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents. The database also contained plaintext third-party credentials, including OpenAI API keys, shared between agents in private messages, enabling attackers to hijack AI agents and their associated service integrations through unintended cross-application trust chains. The incident highlights the risk of "toxic combinations" of permissions, where AI agents, MCP servers, or OAuth integrations bridge multiple applications without explicit oversight from any single application owner, creating unauthorized lateral trust pathways that bypass conventional SaaS access reviews. These bridges form at runtime and are invisible to single-app governance, allowing credential exfiltration and command-and-control abuse when combined with weak token hygiene and runtime drift.

Timeline

  1. 22.04.2026 13:41 1 articles · 2h ago

    Discovery of unsecured agent tokens and plaintext credentials in Moltbook database

    On January 31, 2026, researchers identified an exposed Moltbook database containing 35,000 email addresses, 1.5 million agent API tokens, and plaintext third-party API keys, including OpenAI keys, stored across 770,000 active AI agents. The breach revealed how agent-mediated cross-application trust pathways can aggregate sensitive credentials without oversight from any single application owner.

    Show sources
    Open in new tab

Information Snippets

  • Moltbook exposed 35,000 email addresses and 1.5 million agent API tokens across 770,000 active AI agents via an unsecured database on January 31, 2026.

    First reported: 22.04.2026 13:41
    1 source, 1 article
    Show sources

  • Plaintext third-party credentials, including OpenAI API keys, were stored in the same unencrypted table as agent tokens, enabling attackers to hijack agents and reuse credentials across integrated services.

    First reported: 22.04.2026 13:41
    1 source, 1 article
    Show sources

  • Cross-application permission chaining occurs when an AI agent, MCP server, or OAuth integration bridges two or more applications, creating an invisible trust relationship neither application owner oversees.

    First reported: 22.04.2026 13:41
    1 source, 1 article
    Show sources

  • Conventional SaaS access reviews focus on single applications, failing to detect toxic combinations formed by runtime bridges such as MCP connectors or OAuth grants spanning multiple systems.

    First reported: 22.04.2026 13:41
    1 source, 1 article
    Show sources

  • Cloud Security Alliance’s 2025 State of SaaS Security report found 56% of organizations are concerned about over-privileged API access across SaaS-to-SaaS integrations, indicating systemic exposure to these risks.

    First reported: 22.04.2026 13:41
    1 source, 1 article
    Show sources

  • Dynamic SaaS security platforms such as Reco inventory non-human identities (AI agents, bots, MCP servers) and map cross-app trust relationships in real time to detect and mitigate toxic combinations.

    First reported: 22.04.2026 13:41
    1 source, 1 article
    Show sources