ctipilot.ch

CERT-FR CERTFR-2026-ACT-016

campaign · campaign:certfr-2026-act-016 single-source-national-cert

CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing

Coverage timeline
2
first 2026-05-04 → last 2026-05-08
Entries
2
2 distinct days
Sources cited
1
1 hosts
Sections touched
2
active-threats, weekly-policy
Co-occurring entities
0
no co-occurrence
2026-05-042 appearances2026-05-08

Story timeline

  1. 2026-05-08CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces
    active-threatsCERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces
  2. 2026-05-04CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit
    weekly-policyCERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit

Where this entity is cited

  • weekly-policy1
  • active-threats1

Source distribution

  • cert.ssi.gouv.fr1 (100%)

Entries about CERT-FR CERTFR-2026-ACT-016 (2)

2026-05-08 · view entry permalink →

CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces

notable threat discovered 2026-05-08 05:00 UTC single-source · national CERT

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.

ai-abuse supply-chain europe

2026-05-04 · view entry permalink →

CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit

notable policy discovered 2026-05-04 05:00 UTC single-source · national CERT

CERT-FR's advisory (dated 13 April 2026, surfaced in this week's daily on 2026-05-08) names three operational risk classes for organisations deploying agentic AI orchestration platforms (Claude Agents, Microsoft Copilot Studio, AutoGen, MCP-server architectures): prompt injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments. CERT-FR recommendations: input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated (CERT-FR — CERTFR-2026-ACT-016, 2026-05-08 · daily 2026-05-08). Why this is obligations-changing rather than routine advisory: for French public-sector entities deploying agentic AI, CERT-FR advisories establish the baseline a defendable-control posture is measured against. The Microsoft Semantic Kernel CVE-2026-26030 / CVE-2026-25592 pair (§ 3 deep dive) is the worked-example of CERT-FR's first and third risk classes manifesting as concrete vendor CVEs — defenders deploying any agentic-AI framework should treat the CERT-FR advisory as defining the question-set, not the answer-set.

ai-abuse supply-chain vulnerabilities europe