I red-teamed Oracle APEX 26.1's new AI Agent feature in the 72 hours after it went GA. Claude refused 7 of my 10 attacks on its own.

"With a weak system prompt, zero security configured, and a deliberately permissive set of tools, I tried 10 attack patterns against a vulnerable APEX 26.1 AI Agent. Claude refused 7 of them on its own. The 3 that worked are the same 3 every Oracle DBA needs to defend at the tool layer."

Oracle APEX 26.1 went GA on May 14, 2026. Three days later I had a working local install — Oracle AI Database Free 23.26.1.0.0, APEX 26.1.0, ORDS 26.1.1, all inside a Docker container on my Mac — with the new AI Agent + Tools feature wired to Anthropic Claude Sonnet 4.6.

This post covers everything: how I got there, what surprised me about what Oracle actually shipped (versus what was announced), and the red-team experiment that mapped what Claude defends versus what gets through.

The results were the opposite of what I expected.

TL;DR

I red-teamed Oracle APEX 26.1's new AI Agent feature in the 72 hours after it went GA. Claude refused 7 of my 10 attacks on its own.

Other newsrooms on this story

Related reading

AI coding agents breached: attackers targeted credentials, not models |…

Other newsrooms on this story

Related reading

AI coding agents breached: attackers targeted credentials, not models |…

The Claude Code RCE: How Eager Parsing Led to Remote Execution

I Used AI for Code Review on a Production ERP for 6 Months. Here's Where It…

AI agents are only as useful as the tools they can safely touch

You gave your AI agent real tools. Here's the 4-part control layer it's missing…

AI Week in Review 26.02.21