AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-fq4x-789w-jg5h: AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)

highvulnerabilityLLM-Specific

security

Source: GitHub Advisory DatabaseJune 18, 2026

Summary

AgenticMail has a security flaw where unauthenticated external emails can trigger a privileged Claude Code session with `permissionMode: 'bypassPermissions'` (a mode that removes safety restrictions). The email's sender address, subject, and preview are embedded directly into the AI's prompt without verification that the sender is the actual operator, allowing prompt injection (tricking the AI by hiding instructions in its input) that could lead to arbitrary code execution and file access under the operator's identity. A similar handler in the same codebase properly authenticates the sender, but the bridge-wake path does not.

Classification

Attack Type

Prompt Injection

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Affected Vendors

Anthropic

Affected Packages

@agenticmail/openclaw@< 0.5.71 (fixed: 0.5.71)@agenticmail/codex@< 0.1.33 (fixed: 0.1.33)@agenticmail/claudecode@< 0.2.39 (fixed: 0.2.39)@agenticmail/core@< 0.9.43 (fixed: 0.9.43)

Related Issues

info

Secure AI agent access patterns to AWS resources using Model Context Protocol

Same vendorAWS Security Blog

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Same vendorTechCrunch

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-fq4x-789w-jg5h

First tracked: June 18, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%