Data Privacy & Security Weekly AI News
June 15 - June 23, 2026Weekly signal
This week (June 15–23, 2026) produced three tightly related signals for data privacy & security in the agentic AI era: a demonstrated one‑click data‑exfiltration chain affecting Microsoft 365 Copilot (SearchLeak), an actively exploited control‑plane vulnerability in a widely used AI gateway (LiteLLM) with a U.S. federal remediation deadline, and a vendor push toward brokered zero‑trust controls for agents. Together these items show attackers chaining classic web bugs and AI prompt/vector weaknesses to turn agents into high‑value exfiltration and pivot points; vendors and regulators are reacting with emergency patches, KEV listings, and new product patterns for agent identity and access control.
What changed
-
Varonis Threat Labs publicly disclosed "SearchLeak" on June 15, 2026: a three‑stage chain (parameter‑to‑prompt injection + HTML rendering race + Bing SSRF) that can make Microsoft 365 Copilot Enterprise search leak mailbox, calendar, SharePoint and OneDrive content to an attacker-controlled server with a single click. Microsoft has assigned CVE‑2026‑42824 and applied server‑side remediation.
-
BerriAI LiteLLM (an open AI gateway) has a high‑severity command‑injection flaw (CVE‑2026‑42271). The project posted a security advisory and patched in v1.83.7; CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of June 22, 2026 because of active exploitation. Compromise of LiteLLM installations exposes stored API keys and can lead to full control of downstream AI infrastructure.
-
Vendors are rolling agent‑specific controls: Zscaler announced an "AI Broker" / zero‑trust approach for agent-to-agent and agent‑to‑data flows, emphasizing agent registries, least privilege and telemetry for intent inspection. This commercial trend maps directly to the operational gaps exploited in the incidents above.
What to do with it
- Patch and verify: apply Microsoft/LibreLLM/LiteLLM server patches and verify fixes on June 15–22, 2026; rotate any API keys or credentials that were stored in affected gateways.
- Treat agents as identities: implement least‑privilege agent identities, ephemeral creds, and an agent registry or directory so you can revoke or audit agent permissions quickly.
- Network controls & CSPM: block untrusted MCP/A2A endpoints, apply egress filtering (prevent SSRF chains), and use allowlists that don’t inadvertently create server‑side fetch proxies.
- Threat hunting & telemetry: prioritize logs for agent‑triggered searches, unexpected streaming html responses, and anomalous bing / server fetch patterns; look for exfiltration to image‑request endpoints.
- Short checklist for next 72 hours: (1) inventory agent gateways and Copilot Enterprise tenants; (2) confirm patches; (3) rotate keys; (4) enforce reverse‑proxy rules or WAF blocks for vulnerable endpoints; (5) update IR playbooks.
Do not just read about agents. Build one that runs.
Create an agent from a short prompt, connect a gateway later, and pay mainly for active runtime.
Hosted agent
OpenClaw or Hermes