Sentry MCP server trusted-output injection security flaw
Vulnerability
Summary
Hide ▲
Show ▼
A Sentry architectural flaw can let attacker-crafted error events be returned as trusted output to AI coding agents, creating arbitrary code execution risk on developer machines. The weakness affects exposed organizations that publish a usable DSN and connect Sentry to agents through MCP. Sentry acknowledged the issue and relied on a content filter rather than a full fix.
Related Happenings
Sentry agentjacking analysis shows malicious error events can trigger AI coding agents
Technical Analysis
H score38
First: 11.06.2026 12:15
Last: 11.06.2026 12:15
Sources 1
How related:
Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines.
About this happening:
Researchers described **Agentjacking** as a new attack against **AI coding agents** that abuses **Sentry DSNs** and **MCP** to inject fake error data, causing agents like **Claude...
Sentry agentjacking analysis shows malicious error events can trigger AI coding agents
Technical AnalysisHow related: Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines.
About this happening: Researchers described **Agentjacking** as a new attack against **AI coding agents** that abuses **Sentry DSNs** and **MCP** to inject fake error data, causing agents like **Claude...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Indirect prompt injection payloads against AI agents reveal fraud, deletion, and secret-theft paths
Technical Analysis
H score36
First: 23.04.2026 12:30
Last: 23.04.2026 12:30
Sources 1
About this happening:
**10** new **indirect prompt injection (IPI)** payloads show how web content poisoning can coerce **AI agents** into **financial fraud**, **data destruction**, and **API key theft...
Indirect prompt injection payloads against AI agents reveal fraud, deletion, and secret-theft paths
Technical AnalysisAbout this happening: **10** new **indirect prompt injection (IPI)** payloads show how web content poisoning can coerce **AI agents** into **financial fraud**, **data destruction**, and **API key theft...
Timeline
-
12.06.2026 15:04 2 articles · 5h ago
Researchers describe Agentjacking against Sentry-backed AI coding agents
Initial DisclosureTenet Security describes Agentjacking, a new attack that abuses Sentry DSNs and the Sentry MCP server to feed crafted error events to AI coding agents such as Claude Code and Cursor as trusted guidance, leading the agent to run attacker-controlled code on a developer machine with the developer's privileges. Tenet says it found at least 2,388 organizations exposed with valid injectable DSNs, tested the technique against over 100 organizations, and observed an 85% exploitation success rate in controlled testing. Sentry acknowledged the issue, said it was technically not defensible, and enabled a global content filter that blocks a specific payload string.
Show sources
- Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code — thehackernews.com — 12.06.2026 15:04
- Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code — thehackernews.com — 12.06.2026 15:04