The 2026 incident board

A current snapshot of what’s actually happened, to keep the playbook grounded in real events rather than theory. Treat these as case material - each maps to a section’s threat class. (A snapshot as of June 2026; verify specifics before citing externally.)

Incident	What happened	Maps to
GTG-1002 (Nov 2025)	State-sponsored actor used an AI to orchestrate ~80-90% of an espionage campaign against ~30 targets, largely autonomously (as reported by Anthropic)	II.14 Offensive AI
Azure SRE Agent - CVE-2026-32173 (CVSS 8.6)	Improper authentication on a network-facing endpoint (SignalR hub) let an unauthenticated attacker disclose sensitive information from the agent over the network	II.7 Infra · III.2 identity
Azure MCP Server - CVE-2026-32211	The MCP server’s authentication layer was simply absent - the concrete example of OWASP MCP07 (insufficient authentication); any reachable client could invoke its tools	II.6 MCP
nginx-ui “MCPwn” - CVE-2026-33032 (CVSS 9.8)	The MCP /mcp_message endpoint enforced only an IP allowlist that defaulted to empty (= allow-all), so any network attacker could invoke MCP tools and take over the server. Actively exploited; the finder reports a fix in v2.3.4, but the official CVE record lists 2.3.5 and prior as affected - update to the latest (2.3.6+)	II.6 MCP
MCP TypeScript SDK leak - CVE-2026-25536 (CVSS 7.1)	Reusing one server/transport instance across clients caused JSON-RPC message-ID collisions that routed one client’s response to another - a cross-client data leak. Fixed in v1.26.0	II.6 MCP · II.13 data
ShareLeak (CVE-2026-21520, CVSS 7.5) · PipeLeak	Indirect prompt injection in Microsoft Copilot Studio via a SharePoint form field made the agent query connected CRM data and exfiltrate it (Capsule Security). PipeLeak is the Salesforce Agentforce sibling (no CVE assigned). Patching didn’t stop exfiltration - the architecture is the flaw	II.3 injection · II.13 data
Boundary Point jailbreaking (UK AISI, Feb 2026; arXiv:2602.15001)	An automated technique that generates universal jailbreaks against even well-defended systems - reinforces that guardrails are a first filter, measured under adaptive attack (II.18)	II.18 bypasses
Agentic incident pattern (2026)	Across the incidents listed above, tool-misuse & privilege-escalation are the most common classes; memory-poisoning & supply-chain are rarer but higher-severity and more persistent	II.8 Agentic threats

The pattern to take away

Two things recur: the AI is increasingly the orchestrator of the attack (GTG-1002), and the breach usually lands through infrastructure - an exposed endpoint, a credential, a poisoned dependency - not the model’s cleverness. That’s why I.9 puts the cloud wiring at the centre of the threat model and III.2/III.3 weight identity and detection so heavily.