Static matrix. Generated nightly. Source manifests under
agent_audit_kit/data/.
| CVE / disclosure | Title | Status | Covering rule(s) |
|---|
| CVE-2025-66335 | apache-doris-mcp-server SQL injection | covered | AAK-DORIS-001 |
| CVE-2025-66414 | MCP Python SDK StreamableHTTP DNS rebinding | covered | AAK-DNS-REBIND-001, AAK-DNS-REBIND-002 |
| CVE-2025-66416 | MCP Python SDK StreamableHTTP DNS rebinding (companion) | covered | AAK-DNS-REBIND-001, AAK-DNS-REBIND-002 |
| CVE-2026-20205 | splunk-mcp-server token-cleartext logging | covered | AAK-SPLUNK-TOKLOG-001, AAK-LOG-TOKEN-LEAK-001 |
| CVE-2026-23744 | MCPJam Inspector vendored fork | covered | AAK-MCP-INSPECTOR-CVE-2026-23744-001 |
| CVE-2026-27825 | Atlassian MCP RCE chain | covered | AAK-MCP-ATLASSIAN-CVE-2026-27825-001 |
| CVE-2026-32211 | Azure MCP server-author missing auth | covered | AAK-MCP-SERVER-AUTH-001 |
| CVE-2026-33032 | MCPwn twin-route middleware asymmetry | covered | AAK-MCPWN-001 |
| CVE-2026-35402 | mcp-neo4j-cypher Cypher-injection | covered | AAK-NEO4J-001 |
| CVE-2026-35568 | MCP Java SDK StreamableHTTP DNS rebinding | covered | AAK-DNS-REBIND-001, AAK-DNS-REBIND-002 |
| CVE-2026-35577 | Apollo MCP server StreamableHTTP DNS rebinding | covered | AAK-DNS-REBIND-001, AAK-DNS-REBIND-002 |
| CVE-2026-39313 | mcp-framework HTTP-body DoS | covered | AAK-MCPFRAME-001 |
| CVE-2026-40576 | excel-mcp-server path traversal | covered | AAK-EXCEL-MCP-001 |
| CVE-2026-40608 | next-ai-draw-io body-accumulation DoS | covered | AAK-NEXT-AI-DRAW-001 |
| CVE-2026-41481 | langchain-text-splitters validate-then-fetch SSRF | covered | AAK-LANGCHAIN-SSRF-REDIR-001 |
| CVE-2026-41488 | validate-then-fetch DNS-rebind / TOCTOU SSRF | covered | AAK-LANGCHAIN-SSRF-TOCTOU-001 |
| CVE-2026-6494 | MCP tool log-injection | covered | AAK-LOGINJ-001 |
| OX-MCP-2026-04-15 | Upstream MCP SDK STDIO command-injection inheritance | covered | AAK-ANTHROPIC-SDK-001, AAK-STDIO-001, AAK-MCPWN-001 |
| OX-MCP-2026-04-25 | MCP StdioServerParameters config-to-spawn taint | covered | AAK-MCP-STDIO-PARAMS-001, AAK-MCP-MARKETPLACE-FETCH-001 |
| Attack ID | Title | Status | Covering rule(s) |
|---|
| PA-AIRS-001 | Prompt injection via tool description | covered | AAK-MCP-FHI-001, AAK-DEEPSEEK-V4-MOE-TOOL-INJ-001 |
| PA-AIRS-002 | Prompt injection via document loader | covered | AAK-IPI-WILD-CORPUS-001 |
| PA-AIRS-003 | Tool-call SSRF via untrusted URL | covered | AAK-SSRF-001, AAK-SSRF-002, AAK-CREWAI-CVE-2026-2286-001 |
| PA-AIRS-004 | Tool-call command injection | covered | AAK-TAINT-001, AAK-MCP-002, AAK-MCPWN-001 |
| PA-AIRS-005 | Sandbox escape via unsafe interpreter mode | covered | AAK-CREWAI-CVE-2026-2275-001 |
| PA-AIRS-006 | JSON / YAML loader path traversal | covered | AAK-CREWAI-CVE-2026-2285-001, AAK-LANGCHAIN-PROMPT-LOADER-PATH-001, AAK-EXCEL-MCP-001 |
| PA-AIRS-007 | MCP STDIO config-to-spawn taint | covered | AAK-MCP-STDIO-PARAMS-001, AAK-STDIO-001 |
| PA-AIRS-008 | MCP transport DNS rebinding | covered | AAK-DNS-REBIND-001, AAK-DNS-REBIND-002 |
| PA-AIRS-009 | Token logging in cleartext | covered | AAK-SPLUNK-TOKLOG-001, AAK-LOG-TOKEN-LEAK-001 |
| PA-AIRS-010 | Cross-tenant agent role escalation | covered | AAK-OPENCLAW-PRIVESC-001, AAK-A2A-002 |
| PA-AIRS-011 | Indirect prompt injection via PR title / commit metadata | covered | AAK-PRTITLE-IPI-001 |
| PA-AIRS-012 | Tool-poisoning via adversarial description suffix | covered | AAK-MCP-FHI-001 |
| PA-AIRS-013 | Validate-then-fetch SSRF (redirect bypass) | covered | AAK-LANGCHAIN-SSRF-REDIR-001, AAK-LANGCHAIN-SSRF-TOCTOU-001 |
| PA-AIRS-014 | MoE-routed tool description injection | covered | AAK-DEEPSEEK-V4-MOE-TOOL-INJ-001 |
| PA-AIRS-015 | Social-agent auto-reply hijack | covered | AAK-TIKTOK-AGENT-HIJACK-001 |
| PA-AIRS-016 | Cross-tier economic drift in multi-model pricing | covered | AAK-PROJECT-DEAL-DRIFT-001 |
| PA-AIRS-017 | OAuth scope creep via third-party agent SDK | covered | AAK-OAUTH-3P-001, AAK-OAUTH-3P-BROAD-001 |
| PA-AIRS-018 | MCP marketplace fetch SSRF + spawn | covered | AAK-MCP-MARKETPLACE-FETCH-001 |
| PA-AIRS-019 | GitHub Actions tag-pinned third-party Action | covered | AAK-GHA-IMMUTABLE-001 |
| PA-AIRS-020 | Agent prompt-loader path traversal | covered | AAK-LANGCHAIN-PROMPT-LOADER-PATH-001, AAK-CREWAI-CVE-2026-2285-001 |
| PA-AIRS-021 | Runtime DLP — agent egress without redaction | runtime-only | — |
| PA-AIRS-022 | Live attack-tree red-teaming | runtime-only | — |
| PA-AIRS-023 | Memory poisoning persistence | runtime-only | — |
| PA-AIRS-024 | Live tool-call replay detection | runtime-only | — |
| PA-AIRS-025 | Adversarial multimodal payload | catalog-private | — |