2026年4月16日の
セキュリティ情報

Subject: [Security Advisory] Prompt Injection Vulnerability in AI Coding Agents

Hi all,

This is a security notification regarding a vulnerability affecting several AI-powered code automation tools.

■ Overview
A prompt injection technique named 'Comment and Control' has been identified. It allows attackers to hijack AI agents via specially crafted GitHub comments, PR titles, or issue bodies. This could lead to arbitrary command execution and the extraction of sensitive credentials from GitHub Actions logs.

■ Affected Scope
- Environments utilizing the following AI agents within GitHub Actions:
- Anthropic Claude Code Security Review
- Google Gemini CLI Action
- GitHub Copilot Agent

■ Recommended Actions
1. Implement the principle of least privilege (PoLP) for permissions granted to AI agents (e.g., restricting GitHub Token scopes).
2. Introduce filtering mechanisms to prevent AI agents from directly processing untrusted inputs from external PRs or comments.
3. Ensure a mandatory human-in-the-loop review process for all AI-generated security findings or code changes.

■ Reference
- SecurityWeek: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments

Priority: High (Prompt review and mitigation are recommended)

Subject: [Action Required] Critical Vulnerabilities in Cisco Webex and ISE

Hi all,

This is a security advisory regarding critical vulnerabilities identified in Cisco Webex and Identity Services Engine (ISE).

■ Overview
Cisco has patched several critical flaws. Notably, CVE-2026-20184 in Webex could allow unauthenticated attackers to impersonate users via improper certificate validation. Additionally, CVE-2026-20180 and CVE-2026-20186 in ISE allow authenticated attackers with read-only admin rights to execute arbitrary commands and elevate privileges to root.

■ Scope
- Cisco Webex (SSO integrations)
- Cisco Identity Services Engine (ISE)

■ Mitigation Steps
1. For Webex SSO users: Upload a new identity provider (IdP) SAML certificate to the Control Hub.
2. For ISE users: Apply the latest security patches provided by Cisco to remediate the vulnerabilities.

■ Reference
- Cisco Security Advisories / SecurityWeek

Priority: High (Prompt action is recommended)

Subject: [Action Required] High Severity Vulnerabilities in Splunk Enterprise and Cloud Platform

Hi all,

This is a security advisory regarding critical vulnerabilities identified in Splunk products.

■ Overview
Splunk has addressed a high-severity vulnerability (CVE-2026-20204) in Splunk Enterprise and Cloud Platform that could allow low-privileged users to achieve Remote Code Execution (RCE) by uploading malicious files to a temporary directory. Additionally, a high-severity flaw in the MCP Server (CVE-2026-20205) could allow authenticated attackers to view user sessions and authorization data.

■ Affected Scope
- Splunk Enterprise
- Splunk Cloud Platform
- MCP Server

■ Remediation Steps
1. Update Splunk Enterprise to the following versions or higher:
- 10.2.2, 10.0.5, 9.4.10, 9.3.11
2. For Cloud Platform instances, verify the patch status with the vendor.

■ Reference
- Splunk Official Security Advisory
- CVE-2026-20204, CVE-2026-20205

Priority: High (Prompt update is recommended)

Subject: [Security Advisory] Data Leakage Risk via Third-Party Pixel Redirects

Hi all,

This is a security notification regarding a vulnerability in how third-party scripts handle redirects.

■ Overview
It has been reported that Taboola pixels were quietly redirecting logged-in banking sessions to Temu tracking endpoints. This exploit leverages a "First-Hop Bias" blind spot, where security stacks (WAFs, static analyzers, and standard CSPs) validate the initial origin of a script but fail to re-validate the terminal destination after a 302 redirect.

■ Scope
- Web applications utilizing third-party advertising pixels (e.g., Taboola).
- Organizations using CSP configurations that do not account for redirect chains.

■ Recommended Actions
1. Audit all active third-party scripts to ensure no unauthorized redirects to external domains are occurring.
2. Review and tighten Content Security Policy (CSP) settings to minimize the trust granted to third-party origins.
3. Consider implementing client-side security monitoring tools to detect runtime destination changes in real-time.

■ Reference
- The Hacker News: Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu

Priority: High (Prompt review and mitigation recommended)

Subject: [Security Advisory] Design Flaw in Anthropic Model Context Protocol (MCP)

Hi all,

This is a security notification regarding a critical design flaw identified in Anthropic's Model Context Protocol (MCP).

■ Overview
Security researchers from Ox have reported a fundamental design flaw in the MCP that could potentially allow complete server takeover. It is estimated that up to 200,000 servers are at risk. Despite multiple reports and several high/critical CVEs issued for individual tools using MCP, Anthropic has declined to modify the protocol's architecture, stating the behavior is "expected."

■ Scope
- Servers running AI agents or open-source tools that implement the Anthropic MCP.
- Environments utilizing MCP-based software packages with known high-severity vulnerabilities.

■ Recommended Actions
1. Audit all internal tools and AI agents utilizing MCP and ensure they are updated to the latest available versions.
2. Enforce the Principle of Least Privilege (PoLP) by ensuring MCP servers are not running with administrative or root privileges.
3. Implement strict network segmentation and access controls to limit the attack surface of MCP-enabled servers.

■ Reference
- The Register: Anthropic won't own MCP 'design flaw' putting 200K servers at risk

Priority: High (Prompt action and review are recommended)