For two years, “agentic AI risk” was a slide in a deck. In the first two weeks of July 2026 it became an advisory, an exploit, and a ransomware operation. The attack surface has moved up a layer — away from the model itself and onto the agent: the orchestration platform, the tools it can call, and the credentials it can reach.
Three items landed. Here they are, with the precision each deserves.
1. A confirmed, actively exploited flaw in an agent platform
On July 7, 2026, CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog: a broken-authorization flaw (an IDOR at the /api/v1/responses endpoint) in Langflow, a widely used agent-orchestration platform. An authenticated attacker can execute another user’s flow because the ownership check is missing. Sysdig observed exploitation in the wild from roughly June 25, aimed at code execution and second-stage implant delivery. CISA set a federal patch deadline under BOD 26-04.
A precision note, because accuracy is the product here: at least one outlet reported this as the “first AI agent platform added to KEV.” That is wrong. A different Langflow flaw (CVE-2025-3248) has been KEV-listed since May 2025, and another since March 2026. CVE-2026-55255 is the newest Langflow entry, not the first. The real story is not novelty — it is persistence. This platform layer keeps getting exploited.
2. Ransomware, run by the model
On July 1, 2026, Sysdig’s Threat Research Team published JADEPUFFER, which they assess as the first end-to-end LLM-driven — “agentic” — ransomware operation. Their account: the model entered through the 2025 Langflow RCE (CVE-2025-3248), then autonomously chained reconnaissance, credential harvesting, lateral movement, persistence, and a database-extortion playbook, narrating its own reasoning as it went, including correcting a failed login in about half a minute.
The honest caveats matter, and we will not bury them: this is a single vendor’s assessment. “First documented agentic ransomware” is Sysdig’s characterization, not an industry consensus. The claimed data exfiltration is the agent’s own self-narrated assertion, not independently verified. And the entry point was a vulnerability from 2025, not a new one. Strip all of that away and what remains is still significant: a credible, detailed account of an autonomous system chaining an intrusion end to end, with the human operator supervising rather than driving.
3. Prompt injection that no reviewer sees
Around July 11, researchers demonstrated “Ghostcommit” — hiding a prompt-injection payload inside a PNG image so that AI coding agents read it and leak .env secrets, while human and AI reviewers, who never open the image, see nothing. This is a research demonstration, not an exploited-in-the-wild vulnerability; there is no CVE. We cover it in its own briefing, because the most important finding in it is not the attack.
What ties these together
The industry spent 2024 and 2025 securing models — jailbreaks, harmful outputs, training-data leakage. Those problems did not go away, but they are no longer where the damage is coming from. The damage is coming from what we let the model do: call tools, execute code, hold credentials, act without a human in the loop.
That is the agentic layer, and it is precisely what the OWASP Top 10 for Agentic Applications (ASI01–10) was written to describe. The July cluster maps cleanly onto it: tool misuse and exploitation (ASI02), agent identity and privilege abuse (ASI03), unexpected code execution (ASI05), cascading agent failures (ASI08), and rogue agents (ASI10).
An agent’s blast radius is not a property of the model. It is a property of your architecture — the permissions you granted, the tools you wired up, the secrets you left within reach.
What to do this week
1. Patch Langflow (and inventory whether you run it at all — including inside a vendor’s product). 2. Inventory your agents, not just your models. Which ones can execute code, call external tools, or read credentials? 3. Apply least privilege to tools, not just users. An agent with a broad API token is a standing privilege-escalation path. 4. Log agent actions, not just agent outputs — you cannot investigate what you did not record. 5. Test the hijack case. Assume an attacker controls the agent’s instructions. What can it reach? Who has actually verified that, and can you show the result?
An honest limitation
One of these three items is a CISA-confirmed, actively exploited vulnerability. One is a single security vendor’s detailed but unreplicated assessment. One is an academic demonstration with no CVE at all. They are not the same tier of evidence, and treating them as if they were is how vendors manufacture urgency. We have labelled each accordingly, and we would rather you act on the first with certainty than on all three with panic.
What is not in doubt: agent-layer exploitation is no longer hypothetical, and the cheapest moment to find out what your agent can do under an attacker’s control is before someone else finds out for you.
This briefing is threat and regulatory information from Sentinel Assurance Group, not legal advice, and not a substitute for your own vulnerability management. Details change quickly — verify against the primary advisories linked above before acting. Last reviewed July 14, 2026.
Talk to us about testing your agents →What could your agent do
if someone else were driving?
A 30-minute conversation on where your agents can reach — and what an adversary could do with them.
Book the call →