Summary
Today's 10 signals cluster around three forces reshaping AI infrastructure. Security dominated: LiteLLM's AI gateway command-injection chain (CVE-2026-42271) reached unauthenticated CVSS 10 RCE and landed on CISA's Known Exploited Vulnerabilities list, Cato disclosed the DuneSlide zero-click RCE pair in Cursor's agent sandbox (CVE-2026-50548/50549), and Squidbleed (CVE-2026-47729) exposed a 29-year-old Squid proxy leak—this one surfaced with the help of Anthropic's Claude Mythos Preview, a sign frontier models are now vulnerability hunters, not just coding assistants. In parallel, enterprise control planes for model and agent access matured: Anthropic shipped a self-hosted Claude apps gateway, Vercel added firewall-style routing rules to its AI Gateway, and Cloudflare Access gained service-token auth for MCP portals. And coding agents kept closing the full loop—Claude Code background agents now auto-open draft PRs, GitHub's Copilot browser tools hit GA in VS Code, and MCP interoperability became baseline across Zed and JetBrains.
Key themes
- AI infrastructure is now an active attack surface—with AI on both sides. Three disclosures hit this cycle: LiteLLM's AI-gateway command injection (CVE-2026-42271) chaining to unauthenticated CVSS 10 RCE and CISA's exploited list, Cato's DuneSlide zero-click RCE pair in Cursor's agent sandbox (CVE-2026-50548/50549), and Squidbleed (CVE-2026-47729) in Squid's FTP parser. MCP-facing endpoints and agent read surfaces recur as the entry point—yet Squidbleed was found with Anthropic's Claude Mythos Preview, showing frontier models moving into vulnerability discovery.
- Enterprise control planes for model and agent access are consolidating. Anthropic's self-hosted Claude apps gateway (SSO, RBAC, per-user cost attribution, spend caps for Claude Code on Bedrock and Google Cloud), Vercel's firewall-style AI Gateway routing rules (rewrite/deny by model), and Cloudflare Access service-token auth for MCP portals all treat model and tool access as a governed, centrally enforced policy layer.
- Coding agents are closing the full build-to-review loop autonomously. Claude Code 2.1.198 background agents now auto-commit, push, and open a draft PR; GitHub's Copilot browser tools went GA in VS Code so agents can drive a live browser to verify their own work; and Cloudflare's new service tokens let headless agents authenticate machine-to-machine without a browser login.
- MCP and agent interoperability are becoming baseline editor features. Zed 1.9.0 adds one-click remote MCP servers and in-thread agent search, while GitHub Copilot became a native, selectable agent inside JetBrains AI Assistant—decoupling coding agents from their home editors and pushing tools toward interoperation over lock-in.
Notable items
- LiteLLM AI Gateway flaw CVE-2026-42271 chains with a Starlette host-header bypass (CVE-2026-48710) into unauthenticated CVSS 10.0 RCE; CISA added it to the KEV catalog after in-the-wild exploitation. Patch to LiteLLM 1.83.7 (high impact).
- Anthropic launched the Claude apps gateway, a self-hosted control plane bringing SSO, RBAC, per-user cost attribution, and spend caps to Claude Code on Bedrock and Google Cloud while keeping inference and usage data in-network (high impact).
- Cato disclosed DuneSlide: two zero-click, CVSS 9.8 RCE flaws (CVE-2026-50548/50549) in Cursor's agent sandbox, triggerable via prompt injection in content the agent merely reads. Fixed in Cursor 3.0 (high impact).
- Squidbleed (CVE-2026-47729), a 29-year-old heap over-read in Squid's FTP parser, was surfaced with Anthropic's Claude Mythos Preview—a concrete example of a frontier model discovering long-hidden memory-safety bugs.
- Claude Code 2.1.198 background agents now auto-commit, push, and open a draft PR on finishing worktree work, plus background-by-default subagents and completion notifications—moving the human role to reviewing finished PRs.
Source coverage
Source rows used: 10