Nuka-AI: AI Orchestration Research Series
Investigating Security Trust Gaps in AI Frameworks
Welcome to the central research hub for the Nuka-AI Research Series. This initiative, led by JDP Security, focuses on identifying architectural trust gaps and critical persistence vectors in modern AI ecosystems.
Our findings establish the empirical foundation for a proposed new category in emerging agentic safety standards: Insecure AI Orchestration. This vulnerability class represents the structural breakdown of isolation boundaries between configuration, code, and untrusted data, which systematically results in AI Orchestration Poisoningβthe state where an orchestration engine's downstream execution path, logic, or runtime environment is untrusted and hijacked.
Active Research Tracks
 |
Case File 01: Insecure AI Orchestration -> Plan Poisoning via Downstream Execution Type Confusion (Semantic Kernel) Status: [PUBLIC DISCLOSURE RELEASED] CVSS: 10.0 (CRITICAL) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Target: Microsoft Semantic Kernel (.NET) v1.47.0 β v1.74.0 This research analyzes an inherent flaw in AI orchestration where non-deterministic LLM output is directly promoted to a trusted administrative input for system-level tool execution. By exploiting Execution Type Confusion and Late Canonicalization during the framework's native planning phase, an attacker can achieve AI Orchestration Poisoning of the planner itself, hijacking the pipeline to execute Unauthenticated Remote Code Execution (RCE). This case study demonstrates that current mitigations for CVE-2026-25592 fail to secure the orchestration boundary, allowing attackers to force autonomous agents to overwrite host application logic. Forensic Evidence & White Paper The full technical breakdown, including the exploit harness, forensic .cast recordings, and recommended middleware filtering, is now live. π READ THE FULL DISCLOSURE: NUKA-AI-2026-001 |
 |
Case File 02: Insecure AI Orchestration -> Environment Poisoning via Default Host Containment Delegation (Microsoft Agent Framework) Status: [PUBLIC DISCLOSURE RELEASED] CVSS: 10.0 (CRITICAL) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Target: Microsoft Agent Framework (v1.0.0) | claude-agent-sdk (v0.1.48) This research documents a container escape vulnerability resulting from an "insecure-by-default" orchestration design. The framework automatically maps the hostβs Docker socket ( /var/run/docker.sock) into the runtime agent environment, delegating host containment integrity to the non-deterministic intent of the LLM. Through targeted prompt injection, an attacker can manipulate the tool-execution pipeline to query the host daemon, bypass container sandboxing entirely, and achieve root-level host compromise. This showcases how failing to validate orchestration boundaries allows complete poisoning of the local execution environment. Forensic Evidence & White Paper The complete technical white paper, global GitHub repository risk audits, and AST filter middleware are now live. π READ THE FULL DISCLOSURE: NUKA-AI-2026-002 |
 |
Case File 03: Insecure AI Orchestration -> State Poisoning via Storage Primitive Path Traversal (LlamaIndex) Status: [PUBLIC DISCLOSURE RELEASED] CVSS: 10.0 (CRITICAL) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Target: LlamaIndex | llama-index-core (v0.14.19 and below) This research documents an architectural vulnerability involving unanchored directory resolution within internal framework state management. By leveraging a Path Traversal (CWE-22) flaw inside core orchestration storage primitives, an attacker can escape the framework sandbox to overwrite host application source code. This results in the complete poisoning of framework state storage, forcing the engine to serve untrusted artifacts. Forensic analysis identifies that the vendor addressed this through an undocumented "Shadow Patch" strategy, leaving legacy deployments in a vulnerable "False Green" state. Forensic Evidence & White Paper The technical breakdown, including PoC exploitation and manual path-anchoring remediation, is now live. π READ THE FULL DISCLOSURE: NUKA-AI-2026-003 |
 |
Case File 04: Insecure AI Orchestration -> Tool Binding Orchestration Poisoning (LangChain) Status: [PUBLIC DISCLOSURE RELEASED] CVSS: 10.0 (CRITICAL) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Target: LangChain Core & Ingestion Utilities This disclosure details a severe trust gap within dynamic tool orchestration pipelines. When processing untrusted context from external data sources, the pipeline permits indirect prompt injections to maliciously manipulate runtime binding configurations. This lack of deterministic orchestration control allows an attacker to poison down-stream schemas, overriding runtime tool execution logic to trigger unauthorized data extraction or system-level command execution without alerting standard application logging layers. This serves as the definitive baseline case for Orchestration Poisoning via input flow manipulation. Forensic Evidence & White Paper The complete threat modeling analysis, pre-sink input validation policies, and forensic tracking metrics are now live. π READ THE FULL DISCLOSURE: NUKA-AI-2026-004 |
 |
Case File 05: Insecure AI Orchestration -> Runtime Dependency Poisoning via Deserialization Evasion (Deepset Haystack) Status: [PUBLIC DISCLOSURE RELEASED] CVSS: 10.0 (CRITICAL) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Target: Deepset Haystack ( haystack-ai) This research investigates a critical trust boundary violation within framework deserialization layers ( from_dict and from_yaml). Security configuration directives passed via untrusted incoming payloads are implicitly trusted by the deserialization sink, enabling attackers to programmatically toggle the framework's unsafe parameter from False to True. The resulting boundary evasion facilitates remote code execution (RCE) that can be extended to modify core library source files on disk. This presents the ultimate lifecycle risk of AI Orchestration Poisoning, where transient data ingress achieves permanent infrastructure compromise. Forensic Evidence & White Paper The architectural risk review, runtime virtual patching middleware, and live forensic terminal records are now live. π READ THE FULL DISCLOSURE: NUKA-AI-2026-005 |
π April/May 2026 Disclosure Timeline
- April 28, 2026: Case File 01: Insecure AI Orchestration -> Plan Poisoning
[ACTIVE]CVSS:10.0 (CRITICAL) - May 5, 2026: Case File 02: Insecure AI Orchestration -> Environment Poisoning
[ACTIVE]CVSS:10.0 (CRITICAL) - May 12, 2026: Case File 03: Insecure AI Orchestration -> State Poisoning
[ACTIVE]CVSS:10.0 (CRITICAL) - May 12, 2026: Case File 04: Insecure AI Orchestration -> Tool Binding Poisoning
[ACTIVE]CVSS:10.0 (CRITICAL) - May 13, 2026: Case File 05: Insecure AI Orchestration -> Runtime Dependency Poisoning
[ACTIVE]CVSS:10.0 (CRITICAL) - June 5, 2026: **Industry Retrospective: The Fallout
[Ecosystem Post-Mortem]
Inquiries: JDP.sec@proton.me | Nuka.AI@proton.me