Skip to content

feat: AVE-2026-00057, 00058, 00059 -- three new records#50

Merged
chaksaray merged 1 commit into
developfrom
add-3-records
Jul 17, 2026
Merged

feat: AVE-2026-00057, 00058, 00059 -- three new records#50
chaksaray merged 1 commit into
developfrom
add-3-records

Conversation

@chaksaray

Copy link
Copy Markdown
Contributor

Summary

  • AVE-2026-00057: obfuscated/encoded skill payload designed to evade static scanners
  • AVE-2026-00058: deceptive skill trigger or activation-scope manipulation via misleading manifest description
  • AVE-2026-00059: fragmented cross-tool-description prompt injection reassembled at a planted trigger (ShareLock-class)

Each record ships with a real regex-based detection rule in rules/pattern/ and a positive/negative fixture pair in tests/fixtures/, per this repo's own record-addition workflow.

During review, two owasp_mcp classifications were corrected against crosswalks/ave-to-owasp-mcp.md (the repo's own MCP-code legend), not just pattern-validated:

  • 00057 was missing MCP03 (Tool Poisoning) alongside MCP04 (Software Supply Chain Attacks) -- the closest existing analog, AVE-2026-00029 (also an Obfuscation class), maps to both.
  • 00058's original MCP09 (Shadow MCP Servers) was a flat mismatch -- this record is about a skill's own deceptive manifest, not an unauthorized/unregistered server. Replaced with MCP03 + MCP06 (Tool Poisoning, Intent Flow Subversion).

mitre_atlas: AML.T0051 on 00059 was verified against MITRE ATLAS's own published technique name ("LLM Prompt Injection") via web search, not assumed from the existing corpus's (inconsistent) convention.

Test plan

  • python3 scripts/validate_records.py -- all 59 records valid against schema/ave-record-1.1.0.schema.json
  • python3 scripts/check_rule_coverage.py -- all 59 records have detection rules
  • python3 scripts/check_fixtures.py -- all 59 rules have positive and negative fixtures
  • python3 -m pytest tests/ -q -- 118 passed, including the 6 new fixture tests (rule fires on positive, stays silent on negative)
  • AIVSS arithmetic independently recomputed for all three records, matches published aivss_score
  • severity agrees with aivss.aivss_score banding for all three
  • Grepped all three records for bawbel-scanner, bawbel scan\b, bawbel-gate, DESIGN.md -- zero matches

…ception, fragmented injection

Three new records plus their detection rules and fixtures:

- AVE-2026-00057: obfuscated/encoded skill payload designed to evade
  static scanners (base64/hex/marshal decode fed directly into eval/exec)
- AVE-2026-00058: deceptive skill trigger or activation-scope
  manipulation via misleading manifest description
- AVE-2026-00059: fragmented cross-tool-description prompt injection
  reassembled at a planted trigger (ShareLock-class), cited to the
  original research plus Microsoft's 2026 MCP security checkpoint

owasp_mcp corrected against the repo's own crosswalks/ave-to-owasp-mcp.md
legend during review: 00057 was missing MCP03 (Tool Poisoning) alongside
MCP04, and 00058's original MCP09 (Shadow MCP Servers) was a flat
mismatch, replaced with MCP03+MCP06 (Tool Poisoning, Intent Flow
Subversion). mitre_atlas AML.T0051 on 00059 verified against MITRE's own
published technique name (LLM Prompt Injection), not just pattern-matched.

All three validated against schema/ave-record-1.1.0.schema.json, AIVSS
arithmetic independently recomputed, and each has a real regex-based
detection rule whose positive/negative fixtures pass tests/test_fixtures.py.
@chaksaray
chaksaray merged commit 2fbf3dd into develop Jul 17, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant