HARDENED Cybersecurity Intelligence Daily Briefing · Wednesday, May 6, 2026 · hardened.news |
> The signal. Not the noise. — For teams that defend. |
Lead Story | High — AI Tool Security | Dev · Cloud+DevOps |
|
Secure Mode Wasn’t. Pillar Security Found an RCE in Google Antigravity That Bypasses Safety Controls Before They Can Evaluate.
A prompt injection in Antigravity’s file search tool converts a routine search pattern into shell execution — and fires before Secure Mode evaluates anything. Google patched it in February. The architectural pattern it exposes applies to any agentic tool that grants file creation and file search in the same execution context.
Pillar Security published their Antigravity findings in April: the find_by_name tool’s Pattern parameter passes user input directly to the underlying fd utility without sanitization. Inserting -Xsh as the Pattern value causes fd to pass each matched file to sh for execution as shell scripts, achieving RCE. The bypass is architectural: find_by_name executes within the standard agent workflow before Secure Mode restrictions are evaluated — it fires at the tool-invocation layer, ahead of the security boundary Secure Mode enforces. Google patched it February 28. No CVE was assigned.
The architectural implication extends past Antigravity. Any agentic tool granting both file creation and file search in the same execution context — while evaluating security controls after tool invocations — carries the same exposure class. Antigravity’s unrestricted file creation is the setup step; the search tool is the trigger; the agent processes both as legitimate actions. The CSA published a research note on this pattern. Defenders deploying AI tools with native filesystem access should verify where in the execution stack restrictions are actually enforced.
→ Key Takeaway Antigravity is patched — but the exposure class it documents is not. Verify that every AI development tool in your environment enforces security restrictions before native tool invocations, not after. Any tool that grants both file creation and file retrieval in the same context without pre-invocation validation should be treated as unsandboxed regardless of what its marketing calls it. |
Quick Hits
| 01 |
Unit 42: GCP Vertex AI’s Default Service Agent Has Enough Permissions to Raid Your Storage Buckets and Google Workspace
Unit 42 published research in March documenting that the Per-Project Per-Product Service Agent (P4SA) assigned by default to Vertex AI Agent Engine deployments carries excessive permissions — enough that an attacker who compromises the agent can extract the P4SA’s credentials and pivot into the consumer GCP project. Using those credentials, Unit 42 demonstrated unrestricted read access to all Google Cloud Storage buckets in the project, plus access to restricted Google-owned Artifact Registry repositories used during deployment, exposing both customer data and internal supply chain artefacts. Google has revised Vertex AI documentation and strongly recommends adopting a Bring Your Own Service Account (BYOSA) architecture to enforce least privilege — organizations running agents on default P4SA permissions should treat the migration as a standing security gap, not a future nice-to-have. Unit 42 →
| High — AI Platform / Credential Exposure | Cloud+DevOps · Enterprise |
|
CVE Watch
|
CVE Watch
CVE-2026-29014 — MetInfo CMS: CVSS 9.8 Unauthenticated PHP Code Injection, Active Exploitation Confirmed
CVE-2026-29014 is an unauthenticated PHP code injection in MetInfo CMS versions 7.9, 8.0, and 8.1 that allows attackers to execute arbitrary code without credentials. MetInfo released a patch on April 7, 2026; exploitation was confirmed from April 25 onward, with activity surging on May 1 and concentrating on Chinese and Hong Kong IP space — if you run MetInfo, apply the April 7 patch immediately. For organizations not running MetInfo, the pattern is worth logging: a CVSS 9.8 unauthenticated RCE reaching active exploitation within 18 days of patch release reflects the accelerating post-disclosure exploitation window that Mandiant’s M-Trends 2026 documented across the broader CVE landscape.
| Vendor: MetInfo · CVE: CVE-2026-29014 · CVSS: 9.8 · Affected: MetInfo CMS 7.9, 8.0, 8.1 · Fix: Patch released April 7, 2026 · Exploitation: Active — confirmed from April 25; surge May 1, targeting primarily Chinese and Hong Kong IP space |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.PS-02 — Protect: Platform Security — Software Managed Commensurate With Risk
Know What Your AI Dev Tools Can Touch — and Whether the Sandbox Is Real
The Antigravity finding demonstrates that AI tool security claims require architectural verification, not just vendor assurance: a tool labelled “Secure Mode” still provided a full RCE path when its internal execution order was analyzed. NIST PR.PS-02 requires software to be maintained and managed commensurate with its risk profile — for AI development tools with native filesystem or shell access, that means confirming the tool’s actual security boundary architecture, not relying on product documentation alone. Concrete action (PR.PS-02): Inventory every AI development tool in your environment that has native filesystem, shell, or network access; for each, confirm from vendor security documentation or independent research whether restrictions are enforced before or after tool invocations — if they’re enforced after, treat the tool as unsandboxed. nist.gov/cyberframework →
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: Pillar Security (“Prompt Injection leads to RCE and Sandbox Escape in Antigravity”), pillar.security · The Hacker News (“Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution”), thehackernews.com · CSO Online (“Prompt injection turned Google’s Antigravity file search into RCE”), csoonline.com · Cloud Security Alliance (“CSA Research Note: Agentic IDE Prompt Injection & Sandbox Escape”), labs.cloudsecurityalliance.org · Unit 42 / Palo Alto Networks (“Double Agents: Exposing Security Blind Spots in GCP Vertex AI”, March 31, 2026), unit42.paloaltonetworks.com · The Hacker News (“Vertex AI Vulnerability Exposes Google Cloud Data and Private Artefacts”), thehackernews.com · The Hacker News (“MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks”), thehackernews.com · NVD — CVE-2026-29014, nvd.nist.gov · NIST CSF 2.0 (PR.PS-02), nist.gov/cyberframework |
|
|
