A credential-theft vulnerability in a sandboxed agentic AI tool called Writer AI could put large enterprises at risk of a one-click attack exposing internal AI data.
Researchers at Sand Security dubbed its proof-of-concept attack WriteOut. The bug was patched by Writer Inc., the San Francisco-based enterprise AI company behind the Writer AI platform.
Sand said that the flaw stemmed from the way the Writer platform handles user cookies and preview sessions.
The attack is particularly insidious, Sand’s said, because it uses an otherwise legitimate sandbox feature to allow for attack. “We found a way to turn the Writer’s managed AI sandbox against the people around it, getting it to hand an attacker the keys to any customer kingdom,” Sand said.
“We dubbed it WriteOut and Writer has since fixed it. Until they did, an outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link.”
How the attack worked
In the attack scenario, the threat actor could create a preview file that would then lead into a sandbox session they controlled. When the user clicks on the preview, their session cookies would be exposed to the sandbox.
Once those cookies were harvested, the attacker could then use them to log back into the Writer service. Should those credentials belong to an administrator or highly-privileged user, the threat actor would also be able to access further company data and possibly credentials to move further into the network.
The Sand’s report said an attacker doesn’t need any existing foothold inside a victim’s organization. They build the malicious agent in their own, unrelated Writer account, share a public preview link, and any Writer user at any company who clicks it has their session cookie forwarded straight into the attacker’s sandbox, according to the report.
Writer’s platform reportedly did have input-side filtering meant to catch obvious malicious code, but the filter inspected the submitted instruction text rather than runtime behavior. Sand said it got around the filter by having the agent fetch and execute a remote script rather than embedding the exploit code directly, so the filter saw an innocuous “download and run” instruction instead of the actual payload.
Writer responds
A Writer spokesperson confirmed to Security Point Break the vulnerability and its severity. “This was a real and serious vulnerability that we immediately fixed within 24 hours of notification in May 2026.” The spokesperson said no customer data was compromised and the company has no evidence the flaw was ever exploited maliciously.
Writer’s account of the fix matches Sand’s. Session credentials were removed from sandbox previews entirely, and preview execution was migrated to an isolated origin. Writer said it verified with Sand directly that the session token is no longer reachable from inside the sandbox.
“We are grateful to the Sand Security Research team for their responsible disclosure and their professionalism throughout the process,” the spokesperson said. “This is exactly the kind of collaboration that makes the broader software ecosystem more secure.”
Part of a pattern
WriteOut is the second such disclosure against a major agentic AI platform in recent months. In April, researchers at Pillar Security disclosed a flaw in Google’s Antigravity IDE where a native file-search tool executed outside the boundary that the product’s strictest security setting was meant to police.
Pillar’s Dan Lisichkin wrote that “the security boundary that Secure Mode enforces simply never sees this call,” and argued vendors need to “move beyond sanitization-based controls toward execution isolation”. Google patched the issue after Pillar’s January report.
The mechanism differs from WriteOut — tool-call ordering versus cookie exposure through a preview feature — but the underlying failure is the same: a vendor’s sandbox label conceals a boundary its own controls don’t actually enforce.
The risk category has a name. OWASP’s GenAI Security Project lists “Unexpected Code Execution” and “Agentic Supply Chain Vulnerabilities” among the top-tier risks in its Top 10 for Agentic Applications, published in December, both tied directly to sandbox and runtime-isolation failures.
Why there’s no CVE
No CVE has been assigned to WriteOut. That’s not unusual for this class of bug — vulnerabilities confined to a vendor’s own cloud infrastructure are frequently patched unilaterally on the backend, since there’s no installed product version for customers to track or update themselves, and the fix protects everyone the moment it’s deployed.
That also explains the compressed timeline here: Writer says it fixed the flaw within 24 hours of Sand’s notification in May 2026.
The bigger lesson
Sand noted that Writer is in use by a number of large enterprises to create and manage customer-facing AI agents. Fortunately, to date there have been no recorded attacks on the vulnerability and administrators will not need to do anything as the cloud service has updated itself.
Sand is that enterprises should keep a close eye on activity on their accounts, even if they are pitched as being sandbox secured.
“Your sandbox is not your security. It’s only ever worth the runtime controls that enforce it from the inside such as memory inspection and governance of these, and the finding landed precisely where that enforcement was missing,” the researchers explained.
NVIDIA’s AI red team has made a similar point about agent sandboxing generally, writing that even with mandatory controls like network egress blocking in place, kernel-sharing sandbox designs — the category most cloud AI platforms use — still leave open “remaining potential vulnerabilities”. It’s an independent echo of Sand’s own point about runtime enforcement, not just Sand’s word for it.
“If you operate Writer agents, you’re covered by the fix, but the design lessons apply to anyone building agents inside sandboxes.”