By falco365 · Published April 29, 2026

Four AI-coding-agent-stack CVEs you should patch first

A short cluster of CVEs has hit the runtime stack AI coding agents rely on — npm install, Docker, LangChain, model loaders. Patch order and structural fixes.

Four AI-coding-agent-stack CVEs you should patch first
Analysis

Four CVEs landed in a single short window, all targeting the runtime stack AI coding agents depend on: npm install, the LangChain Python tool, Docker sandboxes with cloud credentials, and the GGUF model loader. None of these chains are commodity criminal infrastructure yet. The patching window is open. Patch on a normal change-management cadence; don't get caught two months from now when the npm chain inevitably gets repackaged into a stealer family.

Why these four are a single story

Each CVE on its own is normal patch-Tuesday work. Together they cover every layer of how an AI coding agent does its job: dependency install, tool execution, model loading, and the container runtime that wraps everything else. If you run AI coding agents in production, you have at least two of these layers active simultaneously. The chain risk is real — a malicious GitHub repository (which the agent will helpfully clone) can plant package.json postinstall hooks, prompt-injection payloads, and crafted dev-container configs in the same payload. One repo, four levers.

  • CVE-2026-12091 — npm registry compromise. Five widely-installed packages, 38M weekly downloads, postinstall hooks exfiltrating env vars and SSH keys. CVSS 8.8.
  • CVE-2026-34040 — Docker auth-plugin bypass. The published exploitation path turns a Cursor-class AI coding agent into a cloud-takeover tool. CVSS 8.8.
  • CVE-2026-7733 — LangChain PythonREPLTool sandbox escape via __import__. Any LangChain agent exposed to user input is now an RCE. CVSS 9.6.
  • CVE-2026-5760 — SGLang RCE via malicious GGUF model file. Trust boundary moves from "downloaded binary" to "downloaded weights." CVSS 9.8.
The agent threat model that was theoretical two years ago is now operational. Each CVE is normal infrastructure work; the cluster is the news.
1. CVE-2026-12091 — npm postinstall (CVSS 8.8)

The most boring of the four, and that's exactly why it's first. Five compromised packages, 38M weekly downloads combined. Every developer running npm install against a corrupted lockfile gets credential exfiltration. Zero attacker effort post-publish. The maintainer 2FA bypass is now patched, but the bad versions remain in the registry's history and in lockfiles people haven't refreshed.

  • Refresh package-lock.json against current versions across every repository that touches the affected packages.
  • Audit postinstall and preinstall scripts for any path under ~/.ssh, ~/.aws, ~/.npmrc, or any token store. Most packages have neither hook; the ones that do are the high-value audit set.
  • Pin transitively for AI-agent workspaces — never let an agent run npm install against unpinned dependencies. Run agents against a pre-built workspace where possible.
  • Rebuild base images if you ship containers. Old base images with the bad versions are still poisoned.
2. CVE-2026-34040 — Docker auth bypass and AI-agent confused deputy (CVSS 8.8)

The most novel. The underlying bug is an incomplete fix for CVE-2024-41110 — Docker authorization plugins make their allow/deny decision on incomplete request data. The published exploitation path is what makes this 2026-specific: a malicious GitHub repository tricks an AI coding agent in a Docker-based sandbox into executing the bypass, then pivots from the container into the cloud account and Kubernetes clusters the agent can reach.

  • Upgrade Docker to the patched release immediately. The bypass works against any host using authorization plugins.
  • Remove cloud credentials from AI-agent sandboxes by default. Use short-lived, scope-narrowed tokens issued per-task, not long-lived admin credentials mounted at container start. This is the structural fix; the Docker patch is the tactical one.
  • Replace shared Docker for agents operating on untrusted repositories — Firecracker microVMs, gVisor, or per-task Kubernetes pods with their own IAM principal. Shared Docker is no longer a security boundary for untrusted code.
  • Audit recent agent activity for cloud-API calls, kubeconfig reads, or Docker socket access that don't match a legitimate user task. Any of these is evidence of a confused-deputy attempt, regardless of patch state.
3. CVE-2026-7733 — LangChain PythonREPL escape (CVSS 9.6)

A missing check in PythonREPLTool lets a prompt-controlled __import__ call break the documented sandbox. Any LangChain agent that exposes the Python REPL tool to user input is an RCE; the sandbox boundary doesn't hold.

  • Upgrade LangChain to a version newer than 0.2.26. Versions 0.1.x through 0.2.26 are affected.
  • Audit your agents for PythonREPLTool usage. If it's there and the agent takes user input from any source, the agent is RCE-capable until patched.
  • Treat the REPL tool as an unconditionally-untrusted code-execution endpoint regardless of patch state. Run it in a separate isolation domain — microVM or container with no network egress and no credential mounts — not in-process.
4. CVE-2026-5760 — SGLang malicious GGUF (CVSS 9.8)

A crafted GGUF model file causes RCE on the inference server. CVSS is the highest of the four, but the deployment surface is narrowest — only orgs running SGLang inference servers, and only when they ingest models from untrusted sources.

  • Upgrade SGLang to the patched release.
  • Treat downloaded weights as untrusted binary input. Sandbox the model loader. Don't run inference servers as root or with credential mounts.
  • Isolate per-request if you accept user-uploaded models. Run the loader behind a strict input filter and consider a microVM boundary per request.
What “patching window is open” actually means

These four chains are not yet showing up in commodity criminal infrastructure — no exploit-kit packaging, no broker-pricing line items, no observable trade volume in the ordinary criminal-market data. That's the normal pattern for research-grade chains: weeks-to-months of pre-commoditization, and some never make it because they require too much per-victim setup. CVE-2026-7733 and CVE-2026-5760 may stay research-grade indefinitely; CVE-2026-12091 is the most likely to be repackaged into commodity stealer infrastructure because the work is already done — the postinstall script is the implant.

The window is meaningful because it lets you patch on a normal change-management cadence rather than an emergency one. Patch this week. Get isolation in place this month. Don't get caught two months from now when the npm chain shows up downstream in an info-stealer family that has done nothing other than swap the implant.

What this isn’t

This isn't an "AI is dangerous" essay. It is the observation that the AI-agent stack now has its first round of CVEs that target the way agents actually work — running attacker-controlled code, processing attacker-controlled inputs, holding privileged credentials. Each individual CVE is normal infrastructure work; the cluster is the news. Patch accordingly.

Contents
Why these four are a single story1. CVE-2026-12091 — npm postinstall (CVSS 8.8)2. CVE-2026-34040 — Docker auth bypass and AI-agent confused deputy (CVSS 8.8)3. CVE-2026-7733 — LangChain PythonREPL escape (CVSS 9.6)4. CVE-2026-5760 — SGLang malicious GGUF (CVSS 9.8)What “patching window is open” actually meansWhat this isn’t
Related analyses
CVE-2026-7733: LangChain PythonREPL tool sandbox escape via __import__
CVE-2026-34040: Docker auth bypass turns AI coding agents into cloud takeover
Shai-Hulud closes the loop: how the worm reached intercom-client in 24 hours

Application security research.

ops@keepsecure.io

Quick Links
About ResearchHub Contact
Elsewhere
GitHubLinkedInX / Twitter
RSS

© 2026 keepsecure labs