A continuously-updated detection layer is easy to claim and easy to test. The test is one question: does the ruleset already see this week’s attacks? So we ran it on ATR.
This week the GitHub Advisory Database shipped a batch of Critical vulnerabilities in MCP and agent tooling:
gemini-mcp-tool— CVE-2026-0755, CVSS 9.8 — command injection through an MCP tool parameter.PraisonAI— four CVEs: aparse_mcp_commandCLI argument injection, an MCP path-traversal.pthRCE, atool_override.pyunauthenticated RCE, and an auth-disabled-by-default config.agentic-flow,network-ai,dbt-mcp— the same shape: untrusted content reaching a shell through a tool call.
Every one of these is the same underlying pattern — a poisoned input flows through a tool parameter into execution. The attacker needs no account; they need the agent to read something. That sameness is the point: it means the attacks are detectable, if your rules are current.
What ATR catches today
- gemini-mcp-tool (CVSS 9.8) — covered. ATR-2026-01931 detects the
execAsynccommand injection and the@fileexfiltration path. - PraisonAI — all four CVEs — covered. ATR-2026-00540 (CLI command injection), 00544 (path-traversal
.pthRCE), 00545 (tool_overrideRCE), and 00528 (auth-disabled config). - agentic-flow / network-ai / dbt-mcp — the same command-injection-through-a-tool-parameter shape; generic rules catch part of it, and dedicated rules are being written.
Two of this week’s five CVE families already have dedicated detection — including every PraisonAI CVE and the 9.8 in gemini-mcp-tool — within days of disclosure.
Why “within days” is the whole story
The gap between a CVE landing and a dedicated rule shipping is the metric that matters for agent security, because the attack patterns repeat across tools. A committee-driven framework measures that gap in weeks or quarters. An open, continuously-updated rule layer measures it in days — and shrinking. That is the difference between a checklist and a defense that keeps up.
Every ATR rule maps back to OWASP Agentic and LLM Top 10, MITRE ATLAS, NIST AI RMF, ISO 42001, and the EU AI Act, so “we detect this week’s CVE” also means “here is where it sits in the framework you report against.” Open standard, MIT-licensed, free to adopt.