Emerging Agentic AI Security Vulnerabilities Expose Enterprise Systems to Widespread Identity-based Attacks
Security researchers have identified several critical ways attackers can exploit agentic AI systems to expose sensitive data and conduct malicious activity, including the execution of arbitrary code and the initiation of potentially harmful actions across disparate applications, systems and services.
“IdentityMesh” Enables Cross-System Exploitation
First up: IdentityMesh. Researchers at AI security firm Lasso Security say they have identified a security flaw in the way agentic AI systems manage identities and context, and that this architectural weakness provides an attacker-friendly path for systems connected via Model Context Protocol (MCP) to be exploited. The vulnerability, dubbed “IdentityMesh” by the Lasso Research team, exploits how AI agents merge identities from multiple MCP-connected systems into a single “functional entity.” This enables threat actors to initiate operations from one MCP-connected system within a group of MCPs and propagate their access to every MCP connected to that group.
Bar Lanyado, Ophir Dror and Or Oxenberg, the researchers who detailed the IdentityMesh vulnerability, found that IdentityMesh breaks traditional security assumptions about how systems are isolated. “IdentityMesh exploits a fundamental weakness in agentic AI: When an AI agent operates across multiple platforms using a unified authentication context, it creates an unintended mesh of identities that collapses security boundaries. It’s the single source of privileges problem,” Bar Lanyado, lead security researcher at Lasso Research, told Security Boulevard.
According to Lanyado, MCP frameworks rely on familiar authentication methods, such as API key authentication for external service access and OAuth token-based authorization for user-delegated permissions. However, these authentication methods operate with the assumption that AI agents will respect the intended isolation between discrete systems, such as Slack and a banking or ticketing system. However, because these systems lack mechanisms to prevent information transfer or operation chaining across discrete systems, all of the identities used to access resources within a group of MCP-connected systems become, in effect, a single identity.
This enables attackers to inject malicious content into external systems that AI agents can access, then leverage the agent’s access across systems to exfiltrate data, phish users for credentials, or distribute malware across environments.
In one example, Lanyado explained how an attacker submits what appears to be a legitimate request into a company’s “Contact Us” form, which then creates a support ticket in the company’s service management software. That ticket now contains instructions crafted to appear as regular customer communications. However, instead, the message provides instructions to exfiltrate data from entirely unrelated systems such as Slack conversations, collaboration systems, GitHub — any external system such as databases, APIs, cloud services, or enterprise applications— connected to the agentic AI through MCP can be targeted.
The research team also described how AI-powered browsers, such as Perplexity’s Comet, Opera Neon, Microsoft Edge — Copilot Mode and Chrome AI Mode, can be exploited through the IdentityMesh vulnerability. For instance, when using Comet, an attacker could post a seemingly normal support request on GitHub, instructing the recipient—an AI assistant integrated into the Comet browser—to follow several steps: Visit Gmail, read the user’s latest email and paste its contents into the same GitHub thread. Because Comet’s AI agent operates with access to all of the user’s active logins, it obediently follows the instructions. The agent navigates to Gmail, accesses a private email using the user’s session, copies the contents and then posts them back to GitHub in public view — completing the workflow as requested.
Because the activity occurs within the usual workflow of the AI agent, traditional security monitoring may not detect that anything is awry. The example further underscores how any system consolidating access to multiple authenticated services under a single AI agent risks this type of cross-boundary exploit, potentially exposing sensitive personal or corporate data to unauthorized parties.
Pynt: MCP Security Shows Exponential Risks
Additionally, research published today by API security platform provider Pynt, analyzing 281 popular Model Context Protocol implementations, found that security risks multiply exponentially as organizations deploy multiple MCPs. While a single MCP presents a 9% chance of being exploitable, systems with three MCPs face a 52% chance of creating high-risk configurations. Organizations using ten MCPs face a 92% probability of exploitation.
The analysis revealed that 72% of MCPs expose sensitive capabilities, including dynamic code execution, filesystem access, or privileged API controls. Additionally, 13% accept inputs from untrusted sources such as web scraping, email and external APIs. Most critically, 9% combine both traits, creating immediately exploitable configurations.
Pynt documented several attack chains that demonstrate practical exploitation paths. “These attacks not only increase the addressable attack surface, but they increase the potential impact, the damage that an attack can do,” said Pynt co-founder and CSO Golan Yosef.
One case involved an email ingestion plugin combined with a code interpreter that allowed attackers to craft emails triggering prompt injection, routing directly into code execution without user approval. Another involved a markdown parser, MCP, with remote HTML loading capability that enabled attackers to serve malicious payloads through web scraping plugins, which were then forwarded to shell command plugins.
Combined Attack Scenarios Present Systemic Risk
Security experts warn that these vulnerabilities can be combined to create cascading system failures. A typical attack scenario might begin with malicious content processed through the Comet browser, trigger IdentityMesh lateral movement through connected AI agents, then exploit MCP vulnerabilities to access databases and deploy malware across organizational networks.
The research highlights a fundamental shift in AI security threats, where traditional component-by-component security analysis fails to address emergent vulnerabilities created through these complex AI system interactions.
Mitigation Recommendations
Security researchers recommend immediate steps to reduce exposure:
For MCP security: Require user approval for all MCP server calls, disable unused servers and tools, containerize MCP servers with system access, and avoid installing untrusted content servers alongside sensitive capability servers.
For IdentityMesh prevention: Implement context isolation between AI agent operations, deploy runtime monitoring for cross-system behavior, use memory validation mechanisms and implement strict access controls for agent identities.
For agentic browser security: Use profile isolation for deployments, implement strict permission controls for connected services, and monitor AI assistant actions for anomalous behavior.
The emergence of these vulnerabilities signals the need for AI-specific security frameworks that address the unique challenges of agentic systems operating across multiple platforms and services. “It’s a classic case of usability versus security,” said Yosef. “You want to give these systems some autonomous control, some degree of freedom to do what they are great at. But you need to be able to control these systems as well,” he said.
