LLM06:2025 ← Back to lesson

Sources — Excessive Agency

Every real incident, CVE, and mitigation in this lesson is backed by a primary source. Links verified June 2026.

Attribution & License
The OWASP Top 10 for LLM Applications is published by the OWASP Foundation under Creative Commons BY-SA 4.0. This lesson is a derivative work — scenarios, definitions, and mitigations are adapted from the official OWASP LLM06:2025 entry with attribution. This site is independent and unaffiliated with OWASP.
OWASP Primary Source
LLM06:2025 Excessive Agency — OWASP Gen AI Security ProjectSTANDARD
OWASP Foundation · 2025
Cited for: official definition, three root causes, all example attack scenarios, mitigation categories — slides 3, 4, 14–25
View on OWASP →
CVEs & Vulnerability Records
CVE-2025-53773 — GitHub Copilot Remote Code Execution via Prompt InjectionCVSS Critical
NVD / Microsoft · Patched August 2025
Cited for: opening story (slides 1–2), Attack Pattern 4 (slide 13), Scenario 3 analogue (slide 16), mitigations M3 and M6 (slides 21, 24)
NVD record →
CVE-2025-54136 — MCPoison: MCP Tool PoisoningCritical
Invariant Labs / TrueFoundry · First Disclosed April 2025
Cited for: Attack Pattern 3 — MCP Tool Poisoning (slide 12), mitigation M5 (slide 23)
TrueFoundry writeup →
Researcher Disclosures & Incident Reports
GitHub Copilot RCE via Prompt Injection — Embrace The RedDISCLOSURE
Embrace The Red (Johann Rehberger) · August 2025
Cited for: technical detail on YOLO mode exploit, invisible Unicode evasion, C2 demonstration — slides 1, 13
Read writeup →
Data Exfiltration from Slack AI via Indirect Prompt Injection — PromptArmorDISCLOSURE
PromptArmor · August 2024
Cited for: Slack AI overpowered data access, indirect injection mechanism, private-channel exfiltration via clickable URLs — slides 6, 10, 19
Read disclosure →
Slack AI Can Leak Private Data via Prompt Injection — The RegisterDISCLOSURE
The Register · August 2024
Cited for: independent coverage of the Slack AI incident, Salesforce-Slack acknowledgement — slide 10
The Register →
MCP Tool Poisoning: Enterprise AI Agent Security 2026 — ITECSRESEARCH
ITECS Online · 2026
Cited for: 200,000 vulnerable MCP instances figure, MCPTox benchmark results (60–72% attack success rate) — slide 12
Read report →
OWASP GenAI Exploit Round-up Report Q1 2026RESEARCH
OWASP Gen AI Security Project · April 2026
Cited for: agentic AI CVE growth (+255.4%), OpenClaw crisis statistics, 21,000+ exposed instances — slides 6, 11
OWASP report →
Mitigation References
AI Agent Security Cheat Sheet — OWASPDEFENSIVE
OWASP Cheat Sheet Series · 2025
Cited for: least-privilege implementation guidance, human-in-the-loop patterns, external authorization enforcement — slides 19–22
OWASP cheat sheet →
AWS Well-Architected Generative AI Lens — Least Privilege for Agentic WorkflowsDEFENSIVE
Amazon Web Services · 2025
Cited for: GENSEC05-BP01 — minimum scope and permissions boundaries for agentic workflows — slides 19, 20
AWS guidance →
Mitigate Excessive Agency in AI Agents with Zero Trust — Auth0DEFENSIVE
Auth0 / Okta · 2025
Cited for: OAuth on-behalf-of patterns, external authorization enforcement, user-context execution — slides 20, 22
Auth0 blog →