Enterprise artificial intelligence is facing a crisis of trust. Two AI tools broke in the same way in two weeks, and four research teams proved it. The pattern underneath every disclosure is one sentence: enterprise AI accepts external input with no trust boundary. On June 15, Varonis disclosed SearchLeak (CVE-2026-42824), a proof-of-concept exfiltration chain in Microsoft 365 Copilot Enterprise Search. A victim clicks a crafted microsoft.com URL, Copilot searches their mailbox, and the data leaves through a Bing SSRF. No plugins, no second click, no visible indicator. Four days earlier, Obsidian Security published a three-CVE chain against LiteLLM that carried a default low-privilege user all the way to admin and remote code execution. Two tools. Two teams. One broken boundary.
SearchLeak: turning a trusted URL into an exfiltration engine
SearchLeak chained three weaknesses into a silent data-theft chain. The URL q parameter fed attacker instructions straight to Copilot's LLM. A rendering race condition fired an image tag before the output sanitizer ran. Bing's image-search endpoint, allowlisted in the Content Security Policy, routed the stolen data out. Microsoft rated the flaw critical and patched it on the back end, according to Varonis. This is the third Varonis Copilot exfiltration chain in twelve months, after Reprompt in January and EchoLeak in 2025. SearchLeak hits Enterprise Search, which inherits the user's full organizational permissions, so the blast radius is everything that a user can reach.
Sponsored Protocol
LiteLLM: a default account exposes every provider key
The LiteLLM gateway holds the keys for OpenAI, Anthropic, Azure, and Bedrock behind a single proxy. The Obsidian chain runs in three moves. CVE-2026-47101, an authorization bypass, lets a non-admin mint a wildcard API key. CVE-2026-47102 promotes that caller to proxy admin through an unguarded /user/update endpoint. CVE-2026-40217 escapes the code sandbox through exec() with full builtins. Obsidian then demonstrated a reverse shell by injecting a forged tool-call response through LiteLLM's callback mechanism. The combined chain is assessed at CVSS 9.9. A separate flaw, CVE-2026-42271, a command-injection bug in the MCP test endpoints, landed on the CISA KEV list on June 8 with a June 22 remediation deadline. LiteLLM carries more than 40,000 GitHub stars and sits in thousands of enterprise deployments. A compromised gateway exposes every provider credential the organization holds.
Sponsored Protocol
The pattern scales: Langflow and Mini Shai-Hulud
The same boundary broke in two more tools in the same fortnight. Langflow CVE-2026-5027 became the third Langflow remote-code-execution flaw to hit active exploitation this year. A path traversal in file upload lets an attacker write files anywhere on disk, and because Langflow ships with auto-login enabled by default, a single unauthenticated request reaches RCE. VulnCheck confirmed exploitation on June 9. Censys counted roughly 7,000 exposed instances, with MuddyWater attribution. The Mini Shai-Hulud campaign hit a different pressure point. After the worm's source code went public on May 12, copycat variants compromised 32 Red Hat Cloud Services npm packages on June 1, packages pulled 80,000 times a week. The worm harvests more than 20 credential types and self-propagates under the compromised maintainer's identity. Four teams, four tools, one operating failure. The bug classes differ, but the boundary that broke is the same in all four.
Sponsored Protocol
The market already repriced the risk. CrowdStrike's Q1 FY27 earnings call showed AIDR ARR growing more than 250% sequentially, with a Q2 pipeline above $50 million. On June 17, the company extended AIDR to AWS, adding real-time evaluation of agent, LLM, and MCP communications. Daniel Bernard, CrowdStrike's chief business officer, said the AI attack surface now spans development, runtime, identities, and cloud infrastructure, and that teams treating those as separate domains leave the gaps between them open.
Practitioners name the same gap in plainer terms. David Levin, CISO at American Express Global Business Travel, told VentureBeat the pattern does not surprise him: "We have this shadow AI, which is just the new version of shadow IT." Both Langflow and LiteLLM fit the description. Merritt Baer, CSO at Enkrypt AI and former AWS Deputy CISO, said: "Enterprises believe they've approved AI vendors, but what they've actually approved is an interface, not the underlying system. The real dependencies are one or two layers deeper, and those are the ones that fail under stress." Adam Meyers, CrowdStrike's SVP of Intelligence, put the operational squeeze in numbers: "The problem is not zero-day. The problem is patching. If you 10x that problem, they're gonna be completely underwater." He pointed to identity as the second front.
Sponsored Protocol
The five-check trust-boundary audit at the end of this article maps each gap to a CVE or a market signal from June, a command you can run before lunch, and a sentence a CISO can read to the board. The fix is plumbing, not policy. The question is not whether your vendor will patch; it is whether you find the gap first, or whether an attacker finds it the way they found Copilot and LiteLLM.
For more on AI and robotics, read our article on how Shenzhen workers operate humanoid robots: In Shenzhen Operating Humanoid Robots with Your Body Is a Coveted Job. To understand prompt injection vulnerabilities, see the Wikipedia article on prompt injection.
Source: https://venturebeat.com/security/copilot-searched-your-mailbox-litellm-handed-out-admin
