CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing

The Apereo Foundation released CAS version 7.3.7.1 on 2026-05-27 fixing an unspecified vulnerability in the OpenID Connect identity-provider component of its Central Authentication Service. Apereo scoped the disclosure to deployments where CAS acts as an OIDC IdP (no explicit statement about non-OIDC deployments, but the scoping suggests SAML / Kerberos-only configurations are out of scope of this specific defect). The reporters are Artur Stoecklin and David Roth at Coop (Switzerland), who reported the issue to the Apereo team via the YesWeHack bug-bounty platform — a direct CH-discovered identity-infrastructure issue rather than a vendor-only disclosure. CERT-FR / ANSSI issued advisory CERTFR-2026-AVI-0654 on 2026-05-28 framing the impact as "un problème de sécurité non spécifié par l'éditeur" and recommending immediate patching. Full technical details are withheld pending the standard security grace window. Apereo CAS is the dominant open-source SSO platform in European higher education and is also deployed across Swiss federal and cantonal administrations.

Why it matters to us: CH-relevant identity infrastructure with an EU-wide deployment footprint and a CH-sourced disclosure. Until technical detail is public, prioritise upgrade to the fixed version 7.3.7.1 on any CAS instance acting as an OIDC IdP and monitor OIDC token-issuance logs for unexpected client_id values, anomalous sub claims and tokens granted to unregistered clients.

ANSSI / CERT-FR issued CERTFR-2026-AVI-0635 on 2026-05-22 covering a security-policy bypass vulnerability in SPIP (Système de Publication pour l'Internet) versions prior to 4.4.15; SPIP 4.4.15 was released the same day (SPIP blog, 2026-05-22). The advisory quotes the issue in CERT-FR's standard French: "Une vulnérabilité a été découverte dans SPIP. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité. SPIP versions antérieures à 4.4.15 sont affectées." (in English: a vulnerability allows an attacker to bypass the security policy; versions prior to 4.4.15 are affected). No CVE identifier or CVSS score is attached to the CERT-FR notice yet; no exploitation in the wild has been reported.

The SPIP project blog characterises the underlying issue specifically as an open-redirect vulnerability in the cookie action — the "policy bypass" framing in the CERT-FR advisory is the standard generic catch-all used by ANSSI, not a separate finding. SPIP is the predominant CMS across French public administration — préfectures, ministries, research institutions — and the Francophone government sphere in Belgium, Switzerland (Romandie cantonal and communal sites) and Canada. Open-redirect issues in authenticated cookie paths are typically chained into account-impersonation or token-laundering against OAuth/OpenID-Connect identity providers, so the EU/CH public-sector risk is concrete even without a CVE in the loop yet. SPIP 4.4.15 is the immediate follow-on to the earlier-May 4.4.14 security release. Detection vantage: review SPIP access logs for unexpected redirect-parameter values on the cookie-action endpoint and any outbound 30x responses to attacker-controlled hosts; defenders should also note that Swiss cantonal and communal administrations using SPIP for public portals fall under the 24-hour NCSC.ch reporting obligation for critical-infrastructure operators if a SPIP intrusion is later confirmed.

Why it matters to us: every Romandie cantonal/communal SOC with a SPIP-built portal needs to patch in this cycle; the absence of a CVE makes it easy to overlook on automated patch-track reports.

CERT-FR's advisory CERTFR-2026-AVI-0564 (2026-05-12) covers multiple remote code execution flaws in SPIP — the open-source CMS that powers a substantial share of French ministry, université and francophone Swiss canton web sites (CERT-FR CERTFR-2026-AVI-0564, 2026-05-12; SPIP security bulletin, 2026-05-12). The SPIP bulletin describes two distinct RCE paths in versions prior to 4.4.14: one in the private (authenticated) area, and one in the public (unauthenticated) area "under specific nginx configurations" — the SPIP bulletin notes the bugs are "not covered by the security screen", meaning they bypass SPIP's built-in filter layer. No CVE identifiers are assigned in the vendor bulletin. Fixed in SPIP 4.4.14. No ITW reported. Detection concepts: monitor SPIP ecrire/ and front-end access logs for the SSTI / template-load gadget patterns the bulletin enumerates; on shared-host SPIP estates, audit the nginx reverse-proxy configuration for the unsafe location pattern. Hardening: upgrade to 4.4.14; on internet-facing SPIP, gate ecrire/ to a known admin source set at the reverse proxy.

CERT-FR's CERTFR-2026-AVI-0572 (2026-05-12) consolidates the April 2026 monthly security bulletin for Centreon Infra Monitoring — the enterprise monitoring platform widely deployed in French and EU public-sector NOCs and government ISPs (CERT-FR CERTFR-2026-AVI-0572, 2026-05-12; Centreon security bulletin, 2026-05-12). The bulletin lists command injection (effectively RCE in Centreon MBI), SQL injection, and XSS (Centreon Map, CVSS 6.8) findings spread across Centreon Anomaly Detection, Auto Discovery, AWIE, BAM, DSM, License Manager, MAP, MBI and Open Tickets — affecting 24.04.x (MBI only), 24.10.x and 25.10.x branches. Per-CVE identifiers are enumerated in the Centreon bulletin rather than the CERT-FR advisory. No ITW reported. The defender-relevant property is that Centreon stores privileged monitored-host credentials (SNMP communities, SSH private keys, vendor-API tokens) — compromise of a Centreon instance is a high-impact lateral-movement enabler against the entire monitored estate. Detection concepts: monitor Centreon front-end access logs for the listed component endpoints from non-NOC source networks; alert on Centreon process spawning child shells outside scheduled poller intervals. Hardening: apply the April 2026 monthly update; segment Centreon's monitoring VLAN from user / internet networks; treat Centreon credentials-vault contents as Tier-0 in the AD admin-tiering model.

CVE Summary Table

Vendor PSIRT pages (re-fetched at verification time) consistently publish CVSS 9.1 for both FortiAuthenticator CVE-2026-44277 and FortiSandbox CVE-2026-26083; early NCSC-CH / NVD reports cited 9.8 for one or both before convergence. § 7 documents the source discrepancy.

CERT-FR's advisory (dated 13 April 2026, surfaced in this week's daily on 2026-05-08) names three operational risk classes for organisations deploying agentic AI orchestration platforms (Claude Agents, Microsoft Copilot Studio, AutoGen, MCP-server architectures): prompt injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments. CERT-FR recommendations: input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated (CERT-FR — CERTFR-2026-ACT-016, 2026-05-08 · daily 2026-05-08). Why this is obligations-changing rather than routine advisory: for French public-sector entities deploying agentic AI, CERT-FR advisories establish the baseline a defendable-control posture is measured against. The Microsoft Semantic Kernel CVE-2026-26030 / CVE-2026-25592 pair (§ 3 deep dive) is the worked-example of CERT-FR's first and third risk classes manifesting as concrete vendor CVEs — defenders deploying any agentic-AI framework should treat the CERT-FR advisory as defining the question-set, not the answer-set.

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.

France's CERT-FR published CERTFR-2026-AVI-0551 (April 29, 2026) covering seven CVEs in GLPI, the open-source IT Service Management platform widely deployed in European public-sector organisations and healthcare networks. Vulnerability types include SSRF (CVE-2026-32312), stored and reflected XSS (CVE-2026-42317, CVE-2026-42318, CVE-2026-42320, CVE-2026-42321), security policy bypass (CVE-2026-5385), and data integrity compromise (CVE-2026-40108). CVSS scores are not published in the advisory. No exploitation in the wild is confirmed. GLPI administrators should upgrade to version ≥ 10.0.25 (10.0.x branch) or ≥ 11.0.7 (11.x branch). Swiss federal and cantonal administrations and hospitals using GLPI as their ITSM are advised to schedule patching within the standard change window.