1. The attack vector: what Agentjacking actually does
The mechanics are specific enough to be uncomfortable.
Sentry is an error monitoring platform widely used in software development workflows. Its
DSN (Data Source Name) keys are write-only and public-facing by design, client applications
write error events to them without requiring read authentication. That’s intentional. The
security model assumes that write access to an error monitoring endpoint isn’t dangerous,
because error data is just observational telemetry.
Tenet Security’s research
documents precisely why that assumption breaks when AI coding agents are in the picture. When
an agent encounters a code error during a development task, it commonly ingests the associated
Sentry event data as diagnostic context, “what does the error log say about why this failed?”
An attacker who can write to a Sentry DSN key (which is publicly accessible by design) can
inject malicious instructions into that event data. The agent reads the poisoned event,
interprets the embedded instructions as legitimate diagnostic context, and executes them.
Executed under what credentials? The developer’s. The agent is running with locally authorized
access. There’s no privilege escalation. There’s no suspicious network connection. EDR, WAF,
IAM policies, and VPN never see an attack, they see the developer’s own agent following its
operational logic.
Tenet Security reported a 85% exploitation success rate in controlled testing across Claude
Code, Cursor, and Codex. The firm also identified at least 2,388 organizations with publicly
exposed Sentry DSN keys it assessed as injectable. Both are Tenet Security’s own research
findings, self-reported, not independently reproduced at time of publication.
2. Who is affected: the exposure surface
The exposure isn’t narrow. It maps to any team running MCP-connected AI coding agents with
active Sentry integration, which describes a large portion of modern development shops.
Claude Code, Cursor, and Codex are three of the most widely adopted AI coding tools in
enterprise and startup development environments. All three are named in Tenet Security’s
disclosure as affected. These aren’t fringe tools. They’re the tooling layer that a
significant portion of the developer population uses daily.
The 2,388+ organization figure from Tenet Security’s scan deserves context. That’s organizations
with injectable DSN keys that Tenet Security was able to identify, not a ceiling on total
exposure. Public repository scanning is a standard security research technique, but it
captures only the portion of exposed keys that appear in publicly accessible code. Private
repositories and misconfigured environment variables not in public repos represent additional
exposure that the scan wouldn’t catch.
MCP adoption is accelerating. The hub’s June 21 coverage of
AWS Bedrock AgentCore’s MCP-native managed web search
documented a hyperscaler committing to MCP as infrastructure. More MCP adoption means more
agents ingesting more telemetry sources under more implicit trust assumptions. Agentjacking’s
attack surface grows with the ecosystem.
The EU AI Act dimension is also relevant here. The
hub’s EU AI Act agentic systems analysis
identified agent trust models as a central unresolved question in conformity assessment for
agentic GPAI. A security disclosure demonstrating active exploitation of an agentic trust
assumption is directly relevant to the foreseeable risk documentation obligations under
emerging GPAI technical standards. EU AI Act compliance teams should flag Agentjacking as
a risk event for their agentic system documentation.
3. Why perimeter controls don’t help
This is the part that security teams need to sit with.
Traditional application security is built around permission boundaries: prevent unauthorized
access, detect privilege escalation, monitor anomalous network behavior. These controls assume
the threat enters from outside the authorized perimeter and behaves differently from authorized
activity.
Agentjacking subverts that model entirely. The agent is authorized. The credentials it uses
are legitimate. The Sentry integration it’s using is configured and expected. The network
connection it’s making is normal. Nothing about the attack looks wrong from the outside –
because the attack is happening inside the agent’s own operational logic, in how it processes
context it’s been given permission to access.
Agentjacking Remediation Checklist
- Audit all Sentry DSN keys, identify publicly exposed keys in repos and envs
- Rotate any injectable DSN keys immediately
- Configure MCP server allowlists, restrict telemetry ingestion to explicit sources
- Scope agent execution to minimum required permissions (read-only where possible)
- Isolate agent sandbox from production credentials and Sentry projects
- Implement agent behavioral monitoring (file writes, shell commands, API calls)
Who This Affects
Researchers assert that EDR, WAF, IAM policies, and VPN controls don’t catch this vector. That claim is technically consistent with the attack mechanism’s design. It also means that
the security dashboard that shows green for a compromised environment will show green
throughout the attack. Detection requires either agent-level behavioral monitoring (watching
what the agent actually does, not just what credentials it’s using) or preventing the malicious
event from being ingested in the first place.
The second option is more tractable. It’s also the only near-term mitigation available.
4. What Sentry said, and what it means
According to Tenet Security’s disclosure documentation, Sentry acknowledged the research
report but stated the vulnerability was “technically not defensible” at the platform level. That characterization hasn’t been directly confirmed from Sentry’s own communications.
The “technically not defensible” framing is worth unpacking. Sentry’s DSN architecture is
write-only by design, removing write access from unauthenticated parties would break the
core error reporting use case for every client application in the ecosystem. Sentry can’t
easily change the fundamental access model without breaking the thing the product does.
That logic is coherent. It doesn’t make the outcome less difficult for development teams. What it means is that Sentry is declining to absorb the architectural cost of remediating
an attack vector that exploits how AI coding agents interact with Sentry’s existing design. The agent developers, Anthropic for Claude Code, Anysphere for Cursor, OpenAI for Codex –
haven’t announced specific mitigations either, as of Tenet Security’s June 12 disclosure.
Nobody is writing the patch. Development teams own the mitigation, individually, now.
5. What developers must do now: the decentralized remediation map
The absence of a platform fix doesn’t mean there’s no mitigation path. It means the path
is decentralized and requires action at the team level. Here’s the structure:
Immediate actions (this week):
Audit Sentry DSN keys. Identify every DSN key in your codebase, CI/CD configuration, and
environment variable management. Any key that appears in a public repository or is accessible
without authentication is potentially injectable. Rotate those keys. Implement DSN key
rotation as a standard part of your security hygiene cycle.
Restrict telemetry ingestion in your agent configuration. If your AI coding agent has an
MCP server connection to Sentry (or any error monitoring platform), configure explicit
allowlists for which Sentry projects and event types the agent is permitted to ingest. Don’t let the agent ingest arbitrary event data from any project it has access to.
Architectural adjustments (this sprint):
Scope agent execution privileges. An agent running with write and execute permissions has
a larger blast radius than one scoped to read-only operations. Review what your agents are
actually permitted to do in your development environment and reduce permissions to the minimum
required for the task.
Isolate agent sandbox environments from production credentials. If the agent is running
against production Sentry events, it has access to production context. Sandboxing agent
development workflows from production data limits the blast radius of a successful injection.
Evidence
Monitoring (ongoing):
Implement agent-level behavioral monitoring. Your EDR won’t catch this. Watching what the
agent actually executes, file writes, shell commands, API calls, is the relevant detection
layer. This is harder to implement than traditional monitoring and requires agent-specific
tooling, but it’s the detection approach that actually maps to this threat model.
6. The broader pattern: agentic security in June 2026
Agentjacking didn’t arrive in isolation. It’s the third significant agentic security
development in ten days.
The hub tracked the convergence of three agentic security frameworks in
the June 19 brief,
documenting how the security community is producing frameworks faster than practitioners
can implement them. DeepMind’s AI Control Roadmap –
covered in the hub’s June 18 brief on AI system governance
– framed deployed agents as insider threats requiring system-level controls. CVE-2026-4372,
the confirmed RCE in Hugging Face Transformers covered in June 5, showed that the model
supply chain itself carries exploitable vulnerabilities.
Agentjacking fits this pattern but adds a specific wrinkle: it’s not a supply chain
vulnerability, a model weight exploit, or a framework gap. It’s an attack against the
trust model that connects agents to external data sources, the connective tissue of how
agentic systems gather context and act on it. That’s a different attack surface than what
the frameworks emerging in June are primarily designed to address.
The concentration of disclosures in June 2026 reflects something real about where the AI
security field is right now. Agentic systems are being deployed at scale. Their security
properties are being discovered by attackers and researchers simultaneously. The maturity
gap between agentic capability deployment and agentic security hardening is visible and
widening. Agentjacking is a symptom of that gap, not the last symptom.
TJS synthesis
Here’s what this disclosure actually requires: a reframe of the threat model for any team
running MCP-connected AI coding agents. Perimeter security assumes a boundary. Agentjacking
exploits the absence of a boundary, specifically, the absence of any boundary between the
agent’s trusted operational context and externally writable telemetry data. Closing that
gap is an architectural decision, not a configuration tweak. Sentry won’t fix it. The agent
developers haven’t shipped a fix. The responsibility is yours, and the timeline is now.
Start with the DSN key audit. It takes an hour and directly addresses the most accessible
attack vector. Then scope agent permissions. Then implement agent behavioral monitoring as
a longer-term detection investment. If you’re running Claude Code, Cursor, or Codex with
Sentry integration today and you haven’t done these steps, you’re running with a documented
active threat. The 2,388+ organizations Tenet Security identified with injectable DSN keys
likely don’t all know they’re in that count.