Databricks Genie Agent Security Risks

Data Engineering Agents databricks.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.15
High
Attack Surface
4.8
Medium
Blast Radius
3.87
Medium
Defense Controls
8
Medium
About The Agent

Databricks Genie is a text-to-SQL and data engineering AI agent embedded in the Databricks cloud platform, operating in two modes: Genie Spaces (read-only SQL generation against governed data) and Genie Code Agent mode (multi-step code execution in notebooks with user approval). It leverages Unity Catalog for permission enforcement and supports external tool connectivity through MCP servers via the AI Gateway. The primary risk surface is the gap between available governance controls and default-off posture, where input guardrails require explicit configuration and the approval gate in Agent mode can be progressively bypassed.

About the AI Risk Quadrant

Tight Operators placement reflects an agent with a moderate attack surface elevated by the trifecta floor, paired with a limited blast radius constrained by read-only defaults in Genie Spaces and Unity Catalog permission enforcement. This placement means the agent is suitable for production deployment when operators activate the available governance controls (AI Gateway guardrails, deny-by-default egress, inference table logging) rather than relying on defaults alone. Organizations with mature Databricks governance practices will find the hardening path well-defined; those without should complete the hardening checklist before granting broad workspace access.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risks concentrate in the gap between platform-level governance controls and the agent's default execution posture, where approval gates are bypassable and input filtering is not yet default-on.

Key Input Risks
Untrusted natural-language prompts from any workspace user with Consumer access reach the reasoning loop without a dedicated prompt shield or injection detection layer by default. Operators must enable the AI Gateway guardrail endpoint setting and configure block-on-detect to activate input screening. [4][7]
Key Execution Risks
Genie Code Agent mode generates and executes arbitrary Python and SQL in the operator's notebook environment with user-level compute privileges. Operators should configure deny-by-default serverless egress policies and restrict Agent mode access to users with explicit CAN MANAGE permissions to contain this surface. [9][10]
Key Action Risks
Code execution in Agent mode fires with a single confirmation click, and the progressive Always-allow bypass removes the gate entirely for the remainder of the thread. The blast radius of an approved action includes read-write access to any Unity Catalog object the user can reach. [9][8]
Key Output Risks
Genie responses render SQL results, tables, and visualizations directly in the web interface without dedicated output redaction or exfiltration-blocking controls on the response channel. Column masks in Unity Catalog address data-at-rest masking but do not govern the rendered output surface. [7][8]
Key Monitoring Risks
Inference table logging and usage tracking for AI Gateway endpoints are opt-in and require explicit enablement by workspace administrators. No active anomaly detection, automated alerting, or SIEM forwarding ships as a default for Genie interactions. [13][7]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Databricks Genie scores reflect a governed platform agent where available controls meaningfully reduce composite risk when actively configured.

AIRQ Metrics

Genie lands in the Tight Operators quadrant with an attack surface of 4.80, a blast radius of 3.88, and a defense score of 8; the attack score is elevated by the trifecta floor but constrained blast radius keeps the composite moderate.

Each axis is scored independently: attack surface out of 10, blast radius out of 10, defense controls out of 15, and the composite AIRQ score out of 15.

Metric Score Comments
AIRQ Score 4.15 Moderate composite signals the agent is deployable with standard enterprise governance but requires active configuration of available controls to reach its intended security posture.
Blast Radius 3.87 / 10 Read-only SQL defaults in Genie Spaces and Unity Catalog permission enforcement contain most blast dimensions to low scores.
Attack Surface 4.8 / 10 The trifecta floor of 4.80 dominates; the raw mean of individual surfaces would score lower without the trifecta condition.
Defense Controls 8 / 15 Platform provides actionable isolation, action controls, and governance primitives, though several require explicit opt-in configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Genie ingests natural-language prompts, Unity Catalog metadata, and external data sources into its reasoning context across both Spaces and Agent mode.

Attack Surface Metrics

Higher scores indicate surfaces where untrusted content reaches the agent reasoning loop with weaker validation gates or wider scope.

Each row scores a distinct input or processing channel by the severity of its default-configuration exposure.

Surface Score Comments
User Input 2 / 4 Natural-language prompts from any user with CAN RUN access enter the reasoning loop without a prompt shield by default [4][7].
External Data 2 / 4 Google Drive and SharePoint connections feed external documents into Genie chat context without content scanning [8].
Memory 2 / 4 Knowledge store instructions and example SQL persist across sessions and influence all subsequent queries in the Space [8].
Reasoning 2 / 4 The LLM reasoning layer processes untrusted prompts mixed with privileged system instructions without separation guarantees [5].
Planning 2 / 4 Agent mode in Genie Spaces generates multi-step research plans that execute iteratively without per-step approval [9].
Tool Execution 2 / 4 Genie Code executes generated Python and SQL with user-level compute privileges; JDBC driver carried a confirmed RCE [2][3].
Orchestration 2 / 4 Multi-step Agent mode orchestrates iterative SQL execution with autonomous hypothesis refinement within a single thread [9].
Inter-Agent 2 / 4 Genie can serve as a subagent via the Genie Spaces API and accepts MCP tool outputs from external servers [13].
Output Processing 1 / 4 Query results render directly in the web UI without dedicated output filtering or exfiltration-blocking controls [7].
Configuration 2 / 4 Platform-level SSRF vulnerability demonstrated unauthorized access to internal Databricks configuration endpoints [1][12].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Genie accepts untrusted prompts from workspace users, reads governed enterprise data via Unity Catalog, and can reach external endpoints through serverless compute with default-unrestricted egress.

Lethal Trifecta · Complete (3 of 3)

Databricks Genie exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Any workspace user with CAN RUN access submits natural-language prompts; external data sources and MCP tool outputs also feed the context [8][13].
  • Sensitive data — Genie reads all data the authenticated user can SELECT via Unity Catalog, which may include PII, financial records, and internal metrics [8].
  • External egress — Genie Code executes in serverless compute with default Full-access egress; responses render in the web UI and MCP connections reach external services [10][13].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Genie session's reach depends on mode: read-only SQL results in Spaces versus code execution with user-level compute privileges in Agent mode.

Blast Radius Metrics

Higher scores indicate blast surfaces where the agent holds default-configuration access without mandatory operator hardening.

Each row maps a blast dimension to Genie's documented default capability and the boundary the platform provides.

Factor Score Comments
Code execution 2 / 4 Genie Code generates and runs arbitrary Python and SQL with user-level privileges after approval; JDBC driver carried RCE [2][11].
File system access 1 / 4 Genie Spaces are read-only SQL; Genie Code can create and edit pipeline files but operates within the notebook workspace boundary [9].
Network access 2 / 4 Serverless compute defaults to Full-access egress; deny-by-default network policies are available but require explicit configuration [10].
Credential access 2 / 4 Unity Catalog per-user credentials enforce data access boundaries; no direct secret store access but user-scoped tokens are available at runtime [8].
Autonomous action 1 / 4 Genie Code requires per-action approval by default; Genie Spaces execute only read-only SQL without approval gates [9].
Deployment access 1 / 4 Genie Code can generate pipeline code but cannot directly deploy to production environments without additional operator workflow [9].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Databricks provides meaningful defense infrastructure including compute isolation, action approval gates, and governance tooling, though several controls require explicit opt-in.

Defense Controls Metrics

Higher scores indicate stronger vendor-provided safeguards available in the default or readily-configurable posture.

Each component reflects vendor-provided controls on the default configuration, with credit for controls that require minimal operator effort to activate.

Component Score Comments
Input Guardrails 1 / 3 AI Gateway guardrails can screen for injection but remain in beta and require explicit administrator configuration on each endpoint [13].
Execution Isolation 2 / 3 Serverless compute provides workload isolation; deny-by-default network policies are available but not the default egress posture [10].
Action Controls 2 / 3 Genie Code requires approval before execution with progressive Always-allow bypass; Genie Spaces are inherently read-only [9].
Output Guardrails 1 / 3 Unity Catalog column masks can redact sensitive fields at the data layer but no dedicated response-level DLP exists [8].
Monitoring 2 / 3 Inference tables and system tables provide audit capability; payload logging via AI Gateway is available but requires opt-in [13][6].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize activating the platform's available controls to close the gap between governance capability and default-off posture.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all Genie-accessible LLM endpoints to route through Unity AI Gateway with guardrails enabled for injection detection [13].
  • Configuration Enable the AI Gateway LLM-based input filter on every Genie-serving endpoint and configure block-on-detect for prompt injection patterns [13].
  • Engineering Deploy a pre-processing layer validating external data source content before it enters the Genie knowledge store or chat context [4].

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate deny-by-default serverless network policies for all workspaces running Genie Code workloads [10].
  • Configuration Configure serverless egress control network policies restricting outbound access to only approved external destinations [10].
  • Engineering Build a compute-environment wrapper that enforces read-only filesystem mounts and drops network capabilities beyond the approved egress allowlist for Genie Code sessions.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Prohibit use of the Always-allow bypass in production workspaces through workspace-level administrative policy.
  • Configuration Limit Genie Code capabilities to workspace members holding CAN MANAGE on production Spaces via Unity Catalog permission policies [9].
  • Engineering Build automation revoking Always-allow sessions after a configurable timeout to prevent unbounded bypass accumulation.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Apply Unity Catalog column masks on all columns containing PII or sensitive data accessible through Genie Spaces [8].
  • Configuration Enable row-level security policies on tables registered in Genie Spaces to prevent over-broad query result exposure [8].
  • Engineering Deploy a response-scanning proxy between Genie output and the rendering layer to detect credential or PII patterns in results.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require inference table logging and AI Gateway payload logging enabled on all Genie-serving endpoints with SIEM forwarding [13].
  • Configuration Enable system tables for audit and configure log export to the organization SIEM with alerting on anomalous query patterns [6].
  • Engineering Build automated detection rules monitoring for bulk data extraction patterns, unusual query volumes, or repeated approval bypasses in Genie sessions.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-33107 Critical SSRF in Azure Databricks allowing unauthenticated privilege escalation over network (CVSS 9.8); server-side fix applied by Microsoft with no customer action required.
  2. CVE-2024-49194 Databricks JDBC Driver RCE via JNDI injection in the krbJAASFile parameter (CVSS 7.3); patched in driver version 2.6.40 and all current Databricks Runtime versions.
  3. GHSA-jxw2-jvxf-5vrp GitHub Security Advisory for Databricks JDBC Driver command injection mapping to CVE-2024-49194; affected Maven package versions 2.0 through 2.6.39.

Selected Research

  1. Mitigating Prompt Injection for AI Agents on Databricks Databricks Security team published a practical guide applying Meta's Agents Rule of Two framework to secure AI agents operating on the platform.
  2. DASF v3.0 Agentic AI Security Extension Databricks AI Security Framework version 3.0 adds 35 new agentic AI security risks and 6 new mitigation controls covering agent reasoning, memory, and tool usage.

Vendor Documentation

  1. Databricks Security and Trust Center Platform-level security documentation covering penetration testing by internal offensive security team, public bug bounty program, SDLC security integration, and SOC 2 Type II and ISO 27001 compliance.
  2. Databricks AI Assistive Features Trust and Safety Documents data handling for Genie and Genie Code including zero-retention model partner endpoints, Unity Catalog permission enforcement, and code execution approval model.
  3. Genie Space Setup and Data Access Documents embedded compute credentials, per-user Unity Catalog data credential enforcement, row-level security, and read-only SQL query generation in Genie Spaces.
  4. Genie Code Agent Mode Usage Documents Genie Code Agent mode capabilities including multi-step autonomous workflows, code execution approval prompts, and the Always-allow progressive bypass option.
  5. Serverless Egress Control Network Policies Documents deny-by-default network policy mode for serverless workloads including Genie compute, with outbound access restricted to explicitly listed destinations.

Other Sources

  1. Databricks Security Bulletin DB-2024-01 Vendor-published security bulletin for CVE-2024-49194 with detailed patching guidance, mitigation via JVM configuration, and confirmation all Databricks Runtime versions are patched.
  2. Microsoft Security Response Center Advisory for CVE-2026-33107 Microsoft advisory confirming SSRF in Azure Databricks was fully mitigated server-side with official fix status and no customer action required.
  3. Unity AI Gateway Guardrails and Observability Announces service policies, LLM guardrails, payload logging, and cost controls for governing AI agents and MCP tool calls through Unity AI Gateway.