No perimeter defense catches this. That’s the point.
Tenet Security’s research disclosure
documents a vulnerability class that exploits a structural assumption in how MCP-connected
AI coding agents process telemetry: that data ingested from error monitoring tools like Sentry
is trustworthy. It isn’t, or rather, it doesn’t have to be. Publicly accessible Sentry DSN
(Data Source Name) keys can be written to by anyone. An attacker who poisons a Sentry event
with malicious instructions can cause an AI coding agent to execute those instructions as part
of its routine error-diagnosis workflow.
How it works. Sentry DSN keys are typically write-only and public-facing, that’s
by design, to allow error reporting from client environments. But when an AI coding agent
encounters an error, it often ingests the associated Sentry event data as context for
diagnosis. That ingestion path becomes the attack vector. The agent reads the poisoned event,
interprets the embedded instructions as legitimate diagnostic context, and executes, under
the developer’s locally authorized credentials. EDR, WAF, IAM policies, and VPN don’t see an
attack. They see the developer’s own agent doing its job.
Tenet Security reported an 85% exploitation success rate in controlled testing across named
affected tools: Claude Code, Cursor, and Codex. The firm also identified at least 2,388
organizations with publicly exposed Sentry DSN keys it assessed as injectable. Both figures
are Tenet Security’s own research findings, self-reported metrics from the disclosing firm,
not independently reproduced.
Agentjacking Immediate Mitigation Steps
- Audit and rotate exposed Sentry DSN keys in all repositories
- Sandbox MCP server connections, allowlist telemetry sources explicitly
- Scope agent execution to read-only where possible
- Review all error-monitoring integrations in agent context pipeline
- Remove reliance on EDR/WAF alerts for this attack vector, they won't trigger
Sentry’s response. According to Tenet Security’s disclosure, Sentry acknowledged
the report but stated the vulnerability was “technically not defensible” at the platform level. No automated platform-level remediation is currently available from Sentry or the major
coding agent developers. That’s not a minor footnote. It means the responsibility for
mitigation sits entirely with development teams, not with the platform vendor, and not with
the agent developers.
Why perimeter controls don’t help. Researchers assert that the attack bypasses
EDR, WAF, IAM policies, and VPN because the agent is operating under authorized developer
credentials throughout. There’s no lateral movement, no suspicious network connection, no
privilege escalation, from the security tooling’s perspective, the agent is doing exactly
what it’s permitted to do. The attack surface isn’t a permission boundary. It’s a trust
assumption baked into the agent’s context-ingestion behavior.
Context. The hub has tracked an accelerating concentration of agentic security
disclosures across June. The
EU AI Act agentic systems brief
identified the agent trust model as a central unresolved question in conformity assessment. The
three agentic security frameworks brief
documented convergent framework development. Agentjacking is the live exploitation case that
these frameworks are, belatedly, trying to address. MCP adoption is accelerating, as the
hub’s June 21 brief on AWS Bedrock AgentCore’s MCP-native web search showed. Agentjacking
shows what that adoption curve looks like when the trust model underneath MCP hasn’t been
hardened.
What developers should do now. No platform fix is coming from Sentry. That leaves
these decentralized mitigations:
Evidence
– Audit all Sentry DSN keys in your codebase and environment. Rotate any keys that are exposed
in public repositories or accessible without authentication. – Sandbox MCP server connections. Restrict the telemetry sources your coding agent can ingest
to explicitly allowlisted endpoints. – Scope agent execution privileges. An agent that can only read, not write or execute, limits
the blast radius if a poisoned event is processed. – Review error-monitoring integrations in your agent’s context pipeline. Any telemetry source
that’s write-accessible to third parties is a potential injection vector under this class
of attack. – Don’t rely on EDR or WAF alerts as your detection layer for this vector. They won’t fire.
TJS synthesis. Agentjacking is a clean demonstration of why the agentic AI security
problem is structurally different from traditional application security. The attack doesn’t
break a permission boundary. It exploits a trust assumption, and trust assumptions are
architecture, not configuration. Sentry’s “technically not defensible” response is
understandable from a platform architecture standpoint, but it transfers the entire remediation
burden to thousands of development teams simultaneously. If your team is running Claude Code,
Cursor, or Codex with Sentry integration and MCP connectivity, treat this as an active threat
requiring immediate DSN key audit and agent privilege review, not a future backlog item.