Agentjacking: How Fake Sentry Errors Hijack Claude Code and Cursor (2026)

One HTTP POST. No credentials required. 85% success rate against Claude Code, Cursor, and Codex — simultaneously. On June 12, 2026, Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran disclosed agentjacking: a novel attack class that exploits AI coding agents through manipulated Sentry error reports. The exposure math is sobering — 2,388 organizations are at simultaneous risk, and the only prerequisite is a publicly accessible Sentry DSN.

This isn't a vulnerability in Sentry. It isn't a vulnerability in Claude Code or Cursor or Codex individually. It's a trust model mismatch — Sentry was designed before AI agents existed, and the design decision that made DSNs public (they have to be in client-side JavaScript) creates an attack surface that didn't exist until AI agents started reading observability data and executing diagnostic steps based on what they find there.

The Attack in Precise Terms

Sentry Data Source Names are embedded in JavaScript bundles that ship to browsers. Every user who opens Chrome DevTools on your app can read the DSN. This was an acceptable design when the only consumers of Sentry data were dashboards viewed by engineers and alert pipelines that pinged on-call. It stops being acceptable when an AI coding agent has Sentry read access through MCP and treats error content as authoritative context for autonomous action.