A Public Sentry Key Is All It Takes to Hijack Claude Code, Cursor, and Codex. No Breach Required.

Since Tenet Security's agentjacking disclosure earlier this month, the research has moved from a niche security discussion into a formal threat classification. The Cloud Security Alliance designated agentjacking as a systemic Model Context Protocol vulnerability class within days of the original disclosure.

What the Attack Actually Does

The Model Context Protocol, introduced by Anthropic in late 2024, gives AI coding agents a standardized way to connect to external tools: databases, cloud infrastructure, observability platforms, error-tracking services. Claude Code, Cursor, and OpenAI Codex CLI all support MCP natively, according to the Cloud Security Alliance's Lab Space analysis.

Sentry, one of the most widely deployed error-tracking platforms in the industry, released an MCP server that lets coding agents query error events, retrieve stack traces, and invoke Sentry's own AI root-cause analysis tool. When a developer tells their agent to "fix the top error from this sprint," the agent pulls data from Sentry and treats it as trusted diagnostic context.

Sentry's Data Source Name credential is, by design, public. It has to be: client-side JavaScript needs to report errors from applications in the field without an authenticated session. This architecture predates AI agents entirely.

Six Steps, Zero Alarms

Tenet's attack sequence, as described in the Cloud Security Alliance writeup, requires no breach and no stolen credentials. An attacker finds a Sentry DSN through routine reconnaissance: inspecting a target's JavaScript bundle, searching GitHub for known DSN patterns, or querying Censys or Shodan for traffic to Sentry's ingest endpoint. The DSN is public. Sentry's ingest endpoint accepts POST requests from anyone who presents it.

The attacker then crafts a fake Sentry error event, formats it to visually mimic Sentry's own diagnostic templates, and submits it directly to Sentry's unauthenticated endpoint. The Sentry MCP server returns it as authentic output. The AI agent reads the injected instructions as legitimate diagnostic context and executes them using the developer's full system privileges.

EDR, WAF, IAM, and the firewall all missed it. No signature fired. According to VentureBeat's coverage of Tenet's research, the victim saw only benign-looking diagnostics while the agent silently exposed cloud credentials and source-control tokens.

Tenet tested over 100 targets in controlled conditions and achieved an 85% success rate. One captured Claude Code environment held a live AWS secret access key and private repository URLs. Sentry acknowledged the architecture flaw, characterizing it as "technically not defensible," according to VentureBeat.

How Wide Is the Exposure

Tenet identified 2,388 organizations with publicly exposed Sentry DSN credentials that could be used to inject malicious events at scale. That number represents potential exposure, not confirmed exploitation. The research is proof-of-concept.

The attack surface extends beyond Sentry. VentureBeat's analysis notes that Datadog, PagerDuty, and Jira share the same structural exposure if they are MCP-connected and the agents consuming their data can execute shell commands. The specific data formats differ, but the trust assumption is identical: the agent treats data from a connected tool as authoritative and acts on it.

The Security Gap Nobody Built For

The strongest version of the counterargument deserves a fair hearing. SOC teams and security vendors designed their tooling for a specific threat model: a human or automated process making unauthorized requests. Signature-based detection, IAM policies, and perimeter controls all operate on that model. They aren't failing because they're poorly built. They're failing because the threat model changed underneath them.

When a developer runs `npm install`, it looks identical in the logs to an AI agent running `npm install` because an attacker poisoned a Sentry error event. That distinction did not need to exist before AI coding agents became production tools. The security stack cannot make it because nobody designed it to.

An Okta and Apprize360 survey of 292 executives and 492 knowledge workers, cited by VentureBeat, found that only 34% of organizations apply the same security controls to AI agents as to human employees. Separately, 58% of executives reported an AI-related security incident or close call in the prior year, and 52% of employees use unapproved AI tools.

Five independent surveys from the first half of 2026 reached the same conclusion: enterprise trust in AI agents far exceeds what current enforcement mechanisms can actually verify.

What Organizations Can Do Now

Revoking Sentry DSNs is not the fix. The DSN's public exposure is load-bearing for how Sentry works. The mitigation, per VentureBeat's analysis of Tenet's recommendations, is restricting what agents are permitted to do with the data those DSNs return, specifically limiting which MCP-connected sources can trigger shell command execution.

The Cloud Security Alliance's classification of agentjacking as a systemic MCP vulnerability class is significant because it moves the issue from one vendor's problem to a protocol-level concern. Anthropic introduced MCP in late 2024 and has not yet publicly addressed whether the protocol itself needs architectural guardrails to prevent trusted data sources from becoming injection vectors. That remains an open question as of June 29, 2026.