Harness AI Agent Security Risks

Platform Operations Agents harness.io Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (6) ATTACK SURFACE (5.18) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.92
High
Attack Surface
5.18
High
Blast Radius
6.38
High
Defense Controls
6
High
About The Agent

Harness AI is a suite of embedded intelligence agents within the Harness Software Delivery Platform, operating as a cloud-hosted SaaS service with optional self-hosted delegates executing pipeline tasks inside customer infrastructure. The same platform runtime grants tool authority across CI/CD pipelines, infrastructure provisioning, security scanning, and cost optimization through MCP connectors and Knowledge Graph queries. The primary risk surface is the combination of broad tool-execution scope with deployment-pipeline access where a compromised reasoning loop inherits the delegate service account authority.

About the AI Risk Quadrant

Exposed Giants describes agents with moderate-to-high attack surface combined with below-threshold blast radius and partial defense controls. Harness AI lands here because tool execution carries confirmed vulnerability evidence driving the attack surface above the threshold, while blast radius stays below the top band due to operator-scoped delegate deployment and documented policy enforcement. Defense controls earn partial credit from OPA policy evaluation, RBAC boundaries, and MCP write confirmations, but the absence of vendor-enforced input guardrails prevents a higher quadrant placement.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risk shape is moderate tool-execution exposure with deployment-pipeline blast radius, partially offset by operator-configured policy controls but lacking vendor-enforced input filtering at the agent layer.

Key Input Risks
The agent ingests natural language prompts, Knowledge Graph query results, and MCP tool outputs from third-party integrations without a dedicated prompt-injection filter on the default configuration. CVE-2025-10760 confirmed that URL-sourced content in a shared platform path reaches processing without adequate input validation.
Key Execution Risks
Worker Agents execute pipeline steps via MCP connectors with service account privilege levels inside customer-managed delegates that operate at the network trust boundary of the hosting environment. CVE-2025-58158 proved arbitrary file write through path traversal in the platform file-handling layer.
Key Action Risks
Pipeline deployments, infrastructure changes, and promotion triggers fire through automated pipeline stages without per-action operator approval on the default trigger configuration. The highest-blast-radius scope is production deployment access inherited from the delegate service account.
Key Output Risks
Agent outputs flow into pipeline variables, pull request comments, and notification channels without documented DLP or output redaction on the default configuration. The MCP server suppresses secret values from read operations but generated content lacks independent sanitization before reaching downstream consumers.
Key Monitoring Risks
Immutable audit trail with SIEM streaming is enabled by default for platform actions and documented in compliance certifications. AI-specific behavioral monitoring for prompt-injection attempts or anomalous agent reasoning patterns is not documented as a default capability.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Harness AI presents a moderate risk-adjusted profile where deployment-pipeline capability is partially offset by documented action controls and audit infrastructure.

AIRQ Metrics

Harness AI scores 5.18 Attack Surface and 6.38 Blast Radius with 6 Defense Controls, placing it in the Exposed Giants quadrant at the borderline of the attack threshold.

Attack Surface is scored out of 10, Blast Radius out of 10, Defense Controls out of 15, and AIRQ is the composite risk-adjusted capability score.

Metric Score Comments
AIRQ Score 5.92 Moderate composite reflecting partial defense controls offsetting a platform-operations blast radius driven by deployment pipeline access.
Blast Radius 6.38 / 10 Deployment pipeline access, code execution via delegates, and network reach through MCP connectors drive the capability envelope.
Attack Surface 5.18 / 10 Tool execution and external data ingestion carry agent-specific vulnerability evidence; trifecta-complete status applies the floor.
Defense Controls 6 / 15 Action controls and monitoring have documented vendor implementation; input guardrails and execution isolation remain operator-managed.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are the MCP tool-execution interface with confirmed path-traversal vulnerabilities and the external data ingestion path with demonstrated request-forgery via URL manipulation.

Attack Surface Metrics

Higher scores indicate more attacker-controllable input reaching the agent reasoning loop with less vendor-enforced validation on the default configuration.

Each row maps a documented input channel to its base architectural score and any evidence-driven adjustment from confirmed vulnerabilities.

Surface Score Comments
User Input 2 / 4 Authenticated platform users submit natural language prompts through chat and pipeline-embedded interfaces without a dedicated injection filter on the documented default. [9]
External Data 3.5 / 4 Knowledge Graph queries and MCP tool responses introduce third-party content; CVE-2025-10760 proved request forgery through URL manipulation in the shared data path. [3][12]
Memory 2 / 4 Knowledge Graph persists structured context across sessions with schema-driven access controls but no documented integrity verification on recalled context. [12]
Reasoning 2 / 4 The MCP v2 architecture documents write confirmations and fail-closed semantics but no dedicated chain-of-thought guardrails or reasoning-loop bounds. [5]
Planning 2 / 4 Multi-step pipeline orchestration plans execute within OPA policy boundaries when configured; planning depth is bounded by pipeline stage definitions. [11]
Tool Execution 5 / 4 MCP connectors grant access to 139 resource types; CVE-2025-58158 proved arbitrary file write via path traversal with CVSS 8.8, confirmed by the published advisory. [1][2]
Orchestration 2 / 4 Pipeline orchestration delegates task routing to the platform engine with stage-level RBAC boundaries between pipeline components per the Worker Agents model. [8]
Inter-Agent 2 / 4 Worker Agents communicate through the platform pipeline context with shared service account scope and no documented message-level isolation between agents. [8]
Output Processing 1 / 4 Agent outputs rendered into pipeline logs and chat responses benefit from MCP secret-value suppression but lack an independent output sanitization layer. [9]
Configuration 2 / 4 RBAC roles and secrets management govern agent permissions; default configuration delegates scope to the service account with operator-managed restriction. [7]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Harness AI exhibits all three on the documented default: MCP connectors ingest third-party content, delegates access pipeline secrets and deployment credentials, and tool outputs reach external services and notification channels without crossing a system-level exfiltration control.

Lethal Trifecta · Complete (3 of 3)

Harness AI exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — MCP connectors and Knowledge Graph queries pull content from third-party repositories and external services into the reasoning context. [3][12]
  • Sensitive data — Delegates access pipeline secrets, deployment credentials, source code, and infrastructure configurations through project-scoped service accounts. [7][9]
  • External egress — MCP tool outputs, delegate network requests, and notification channels send bytes to external services outside the operator trust boundary. [9][13]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised agent inherits the delegate service account authority spanning pipeline execution, deployment promotion, and infrastructure state management across the operator environment.

Blast Radius Metrics

Higher blast scores indicate wider operator-environment reach from a single compromised agent reasoning loop through the delegate execution model.

Each row ties a blast factor to the specific platform capability and deployment scope the agent holds through delegate service accounts.

Factor Score Comments
Code execution 3 / 4 Delegates execute shell commands, script runners, and plugin containers at the privilege level of the hosting environment; CVE-2025-58158 proved filesystem write from authenticated access. [1]
File system access 2 / 4 Delegate processes access the host filesystem for workspace artifacts, build caches, and deployment bundles within the configured working directory scope. [1][8]
Network access 3 / 4 Outbound HTTP from delegates and MCP connectors reaches external services and cloud provider APIs; CVE-2025-10760 proved internal-network request forgery. [3]
Credential access 2 / 4 Pipeline secrets, cloud provider credentials, and integration tokens are accessible to delegates through the secrets manager with project-scope inheritance. [7]
Autonomous action 2 / 4 Pipeline triggers and scheduled executions can fire deployments without per-action operator confirmation on the default trigger configuration. [11]
Deployment access 3 / 4 The platform pushes artifacts to production environments and manages infrastructure state with inherited service account authority confirmed by advisory scope. [2]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents OPA policy evaluation, RBAC, MCP write confirmations, and audit logging, but input guardrails and execution isolation remain operator-configured rather than vendor-enforced at the agent layer.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards reducing the operator hardening burden on the documented default configuration.

Each component is scored on what the vendor implements by default versus what requires operator configuration to activate.

Component Score Comments
Input Guardrails 0 / 3 No documented prompt-injection filter or input validation layer for data entering the reasoning loop; the MCP redesign focuses on output safety, not input filtering. [5]
Execution Isolation 1 / 3 Zero Trust Architecture is opt-in: it pauses delegate execution and sends task context to a security validator, but requires operator deployment and configuration. [4]
Action Controls 2 / 3 OPA policies evaluate on pipeline events and the MCP server enforces write confirmations with fail-closed deletes, providing documented per-action governance. [5][11]
Output Guardrails 1 / 3 MCP server suppresses secret values from read responses per the open-source implementation; no documented DLP or URL sanitization for generated content. [9][13]
Monitoring 2 / 3 Immutable audit trail with two-year retention, SIEM streaming, and compliance certification documentation; AI-specific anomaly detection is not documented. [6][10]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta chain by restricting MCP connector scope, enforcing Zero Trust delegate validation, and deploying input-layer classification.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all external data sources feeding the agent to pass through an approved-sources allowlist before reaching the reasoning context.
  • Configuration Restrict Knowledge Graph query sources to operator-approved repositories only, removing third-party content from the RAG retrieval scope.
  • Engineering Deploy a prompt-injection detection classifier on MCP tool inputs that blocks suspicious payloads before they enter the agent context window.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate Zero Trust Architecture validation for all delegate deployments so every task is inspected before execution proceeds.
  • Configuration Configure delegate containers with read-only root filesystems and non-root execution to constrain the file-write primitive.
  • Engineering Implement network-policy segmentation between delegate pods and production workloads to contain lateral movement from compromised contexts.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require OPA deny-by-default policies on all production deployment pipelines so no deployment fires without an explicit allow evaluation.
  • Configuration Configure per-environment approval gates requiring human confirmation before production promotion regardless of trigger source.
  • Engineering Wire deployment MCP tools to require dual-approval through both RBAC permission and runtime OPA evaluation before write operations complete.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Enable DLP scanning on all agent-generated outputs before they leave the platform boundary to prevent credential or sensitive data leakage.
  • Configuration Configure MCP server in read-only mode for environments where write operations are not required, eliminating write-back exfiltration channels.
  • Engineering Implement URL sanitization on agent-generated links in notifications to prevent internal or credential-bearing URLs from reaching external consumers.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Forward all audit trail events to a SIEM with correlation rules alerting on anomalous agent behavior patterns outside historical baselines.
  • Configuration Enable detailed MCP tool invocation logging with request and response capture to surface prompt-injection attempts as unexpected tool calls.
  • Engineering Establish baseline metrics for agent action frequency and resource scope, triggering alerts when agents access resources outside their historical pattern.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-58158 Arbitrary file write in Harness Gitness LFS server via path traversal; CVSS 8.8, patched v3.3.0
  2. GHSA-w469-hj2f-jpr5 GitHub Security Advisory confirming CVE-2025-58158 with upgrade path to v3.3.0
  3. CVE-2025-10760 SSRF in Harness 3.3.0 LookupRepo function allows forged requests to internal services

Selected Research

  1. Harness Zero Trust Architecture Zero Trust delegate validation model that pauses execution and kills non-approved tasks
  2. Harness MCP Server Redesign MCP v2 safety architecture with write confirmations and secret value suppression

Vendor Documentation

  1. Harness Trust Center SOC 2 Type II reports, ISO certifications, and AI-specific data privacy documentation
  2. Harness Security Practices TLS 1.2+, AES-256 at rest, RBAC model, secrets management via KMS integration
  3. Worker Agents Documentation Worker Agent execution model with RBAC permissions and MCP connector configuration
  4. Harness MCP Server Documentation 11-tool MCP interface covering 139 resource types with RBAC and secret suppression
  5. Harness Audit Trail Immutable audit logging with two-year retention and SIEM streaming to external destinations

Other Sources

  1. OPA Policy as Code Quickstart OPA governance integration evaluating Rego policies on pipeline save and run events
  2. Knowledge Graph Architecture Tiered data access model with Knowledge Graph before RAG or MCP fallback
  3. Harness MCP Server Repository Open-source MCP server with RBAC enforcement and HTTPS-only default configuration