ES2512-73d63d33 - Bypass of Human Authorization Controls #174
Description
Submission File: ES2512-73d63d33-new-bypass-human-authorization-controls.txt
ID: ES2512-73d63d33
SUBMISSION DATE: 2025-12-24 09:16:24
NAME: Bypass of Human Authorization Controls
DESCRIPTION:
Most of the AI agents can't trust the entire context, because they contain
results from untrusted sources such as the internet or the user's input.
One of the known mechanisms used is 'human-in-the-loop'. This concept
requires a user to approve dangerous activities.
References:
https://docs.langchain.com/oss/python/langchain/human-in-the-loop
https://en.wikipedia.org/wiki/Human-in-the-loop
It is possible to see this concept in multiple leading products in the
industry
The new CWE I want to suggest is the concept of bypass techniques that
allow an attacker to do malicious/dangerous activity without this approval.
There are multiple ways to bypass the human approval, because companies
does a lot to minimize the requirement of human approval.
It can be because of a configuration issue, a code issue such as not
restricting the regex enough, an LLM as a judge that decides if a human is
required to approve that, or even an unrelated message to the human to
approve.
This type of vulnerability was found in multiple leading products
- Claude (Anthropic)
- Gemini CLI (Google)
- Cursor
- Copilot (Microsoft)
- Warp
- CodeX (OpenAI)
With over 20+ vulnerabilities and it will be presented in RSA (2026 March)
so currently I do not have anything published, most of them lead to major
vulnerabilities classified as high RCEs.