What happened
Tenet Security disclosed on June 12, 2026, a novel attack class called 'Agentjacking' that exploits the Model Context Protocol's implicit trust model. Attackers craft Sentry error events containing prompt injection payloads and deliver them through publicly discoverable write-only credentials. When AI coding assistants query Sentry via MCP, they treat the injected instructions as trusted system context and execute them with full developer privileges.
Why it matters
This is a structural vulnerability in MCP's architecture: every MCP integration is now an attack surface. AI agents treat tool responses as authoritative without provenance verification. The attack bypasses EDR, WAF, and IAM controls entirely—the actions originate from the trusted agent process itself. No authentication required; only a public DSN is needed. 2,388 organizations identified as exposed.
Attack vector
Attacker discovers public Sentry DSN from target's frontend JavaScript, injects malicious Markdown-formatted error event via Sentry's public ingest endpoint, developer's AI coding agent retrieves event via MCP, agent executes attacker-controlled code (npm package download, credential exfiltration) with developer's full system privileges
Affected systems
Claude Code, Cursor, OpenAI Codex (all versions with Sentry MCP integration)
Mitigation
Audit and restrict Sentry DSN exposure in client-facing code; implement content filtering on Sentry error events; add MCP response validation and sandboxing in AI agents; disable Sentry MCP integration if unused