Every Old Vulnerability Is Now an AI Vulnerability

VULNERABILITIES & THREATS CYBER RISK THREAT INTELLIGENCE COMMENTARY Every Old Vulnerability Is Now an AI Vulnerability AI's danger isn't that it's creating new bugs, it's that it's amplifying old ones. Nik Kale,Principal Engineer ,Coalition for Secure AI April 17, 2026 4 Min Read SOURCE: MARTIN BERGSMA VIA ALAMY STOCK PHOTO OPINION On March 10, 2026, Microsoft patched CVE-2026-26144, a cross-site scripting (XSS) vulnerability in Excel. XSS in Office isn't anything new, but what makes this XSS different is what happens after the script executes. The vulnerability chains with Copilot Agent mode. An attacker embeds a malicious payload in an Excel file. After a user opens it, the XSS fires without the user ever clicking anything. However, unlike most XSS attacks, which aim to steal a session cookie or redirect the user to a phishing site, this attack hijacks the Copilot Agent and silently exfiltrates data from the spreadsheet to an attacker-controlled endpoint: no user interaction, no visual prompt to indicate that anything had happened. The AI does the exfiltration for you. Zero Day Initiative's Dustin Childs called it "a fascinating bug" and warned that this attack scenario will become more common. While that is true, it is an understatement. This is not merely a single bug; it marks the start of a new wave of exploits that leverage AI agents' capabilities. Related:NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities For 30 years, we have categorized vulnerabilities by type, such as XSS, SQL injection, buffer overflow, and path traversal. Based on those classifications, we build detection rules, set patch priorities, and train developers on them. The mental model is that the vulnerability category determines the impact: an XSS steals cookies, an SSRF leaks internal data, and a command injection grants shell access. AI agents have broken this model. When an AI agent operates inside the application, every traditional vulnerability gains a new capability: autonomous action. The XSS that previously stole a cookie can now instruct Copilot to read every cell in the workbook and post the contents to an external URL. The potential damage is no longer bounded by what the exploit code can do. It is bounded by the permissions granted to the AI agent. The hardest lesson from production I learned is that the trust boundary between an application and its AI agent is effectively non-existent. Copilot Agent in Excel can read, analyze, and transmit data because that is what Excel does. There is no separate permission layer between "what Excel can access," and "what Copilot can do with that access." When the application is compromised, the AI inherits the compromise automatically. LOADING... This concept is what I call "privilege amplification." The bug serves as the entry point, while AI acts as the weapon. The blast radius is determined by the AI agent's access scope rather than the exploit's technical capabilities. Related:Privilege Elevation Dominates Massive Microsoft Patch Update What to do Beyond Patching You should patch CVE-2026-26144. That's the minimum required to close the hole. The architectural problem persists across every application that embeds an AI agent or assistant. Restrict outbound network access from AI-enabled applications. If Excel with Copilot Agent does not require the ability to make arbitrary HTTP requests, block all egress traffic at the network layer to prevent unknown endpoints from being contacted. This single control would limit the exfiltration path for CVE-2026-26144. Monitor AI-initiated network activity as a distinct detection category. Your DLP and network monitoring tools probably treat user-initiated file uploads and AI-initiated data transfers as the same thing. They should not. Any Excel process that makes HTTP POST requests to unfamiliar endpoints is worth alerting on, especially if the request originated from the AI subsystem rather than a user action. Reassess AI Assistant permissions in your threat model. When you assessed the risks of installing Copilot, you likely evaluated it as a productivity tool. Look at it again as a privileged agent with both read and network access to everything the host application can access. If this application is compromised, what can the AI agent do with the attacker's commands? If you can't answer that question, your threat model has a gap. Modify your prioritization for AI-enabled application vulnerabilities. An XSS in Excel might score as medium severity under traditional CVSS. An XSS that can commandeer an AI agent to exfiltrate your entire financial database is a completely different risk. Unless your scoring models are updated to account for AI amplification, security teams will need to increase the priority of vulnerabilities in AI-enabled applications manually. Related:EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses CVE-2026-26144 will get patched. People will move on. The pattern won't. Every application shipping an embedded AI agent is creating a new class of post-exploitation capability that our taxonomies, detection rules, and risk models were not designed to address. The Agentic AI era did not create new types of vulnerabilities; instead, it amplified all existing ones. The security teams that recognize this trend will reprioritize accordingly. The ones that don't will keep triaging AI-amplified exploits as medium-severity XSS. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! Read more about: Opinion About the Author Nik Kale Principal Engineer , Coalition for Secure AI Nik Kale is a Principal Engineer specializing in AI platforms, cloud security, and enterprise-scale multi-agent systems. He is a member of the Coalition for Secure AI (CoSAI) through OASIS and contributes to IETF working groups on AI agent identity and authorization. He serves on program committees for ACM CCS, ACM AISec, and IEEE S&P (SAG AI). Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE