AIDE-014 Privilege & Authority Abuse Coverage D GAP CANDIDATE Privilege Escalation

Agent Permission Inheritance Exploitation

AIDE-014 |

Description

Adversary Behavior: An adversary exploits the fact that LLM-integrated coding agents execute operations under the developer's full security context, directing the agent through prompt injection to perform privileged operations that the injected payload alone could not achieve.

AI/IDE Mechanism: LLM coding agents inherit all permissions, tokens, and access rights available to the host user session — including file system permissions, network access, cached credentials (SSH keys, API tokens, session cookies), and process-level capabilities. Unlike traditional privilege escalation which requires bypassing access controls, this technique leverages the architectural design decision of running AI agents with the developer's ambient authority.

Execution Path: Through prompt injection, the adversary directs the agent to perform privileged operations — such as modifying system configurations, accessing protected resources, writing to privileged directories, or invoking administrative APIs. If the developer has elevated privileges (administrator, root, sudo access, or broad cloud IAM roles), the agent inherits these without any additional escalation step.

Security Impact: The adversary gains access to the full scope of the developer's permissions without any escalation exploit. The severity is directly proportional to the privilege level of the hosting developer session, with administrative or root-level developer sessions providing complete system compromise.

Platforms

Windows macOS Linux

Detection

Implement least-privilege sandboxing for AI agent execution contexts separate from the developer's ambient session. Monitor for agent-initiated operations that exceed the scope of the current coding task — such as system configuration changes, package installation with elevated privileges, or access to credential stores. Flag agent tool invocations that request administrative APIs or modify security-relevant system files.

Detecting Data Components (1)

Tool Call Request

Events capturing an agent's request to invoke a specific tool, including tool name, arguments, and triggering context.

Mitigations (2)

Agent Execution Sandboxing

Run AI coding agents in isolated security contexts with least-privilege permissions separate from the developer's ambient session. Implement task-scoped permission grants that restrict agent capabilities to files and tools relevant to the current task.

Credential Isolation from AI Agents

Prevent AI agent processes from accessing the developer's credential stores, SSH key directories, cloud configuration files, and authentication tokens. Use credential proxies that provide task-scoped, time-limited access.

Data Sources

Process → Process Creation

Command → Command Execution

User Account → User Account Authentication

File → File Modification

References

mitre-attack

CANDIDATE GAP — Not an official ATT&CK technique. Proposed new technique under Privilege Escalation. Traditional priv-esc techniques (T1548, T1134, T1078) assume adversaries must bypass access controls. Agent permission inheritance is a novel vector where ambient authority is exploited by design.

MCPoison CVE-2025-54136

Demonstrates agent executing privileged operations through MCP tool invocations under developer's security context

https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/

Invitation Is All You Need (Nassi et al., Aug 2025)

Google Assistant exploited via calendar invitation — privilege escalation through delayed tool invocation, IoT manipulation and covert surveillance. 5-stage kill chain.

https://arxiv.org/abs/2508.12175

Devin expose_port (Rehberger, Aug 2025)

AI agent Devin exploited to expose ports to the internet — permission-based lateral movement through inherited OS permissions.

https://embracethered.com/blog/

IDEsaster CVEs

Auto-approved tool calls enable silent privilege escalation; AI agents inherit full developer permissions without re-authorization (Marzouk, 2025-2026)

https://byteiota.com/idesaster-30-cves-hit-cursor-github-copilot-all-ai-ides/

Chinese State-Sponsored Claude Code Manipulation

80-90% autonomous operation exploiting inherited agent permissions across ~30 global targets (SnailSploit, late 2025)

https://snailsploit.com/ai-security/agentic-ai-threat-landscape/

Agent-Fence

Authorization Confusion (0.54 break rate) and Denial-of-Wallet (0.62) across 8 agent architectures (arXiv:2602.07652, Feb 2026)

https://arxiv.org/abs/2602.07652

STIX Metadata

type	attack-pattern
id	attack-pattern--4053a6d7-c4ab-430c-b441-90f2039cbb5e
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	candidate