Most security teams separate reliability bugs from security bugs. In ordinary web apps, that separation often holds. In autonomous agent systems, it is increasingly wrong — and CVE-2026-39865 is the clearest example of why.

When an agent runtime depends on outbound HTTP for retrieval, tool calls, policy checks, and execution feedback loops, transport-layer instability is not just uptime noise. It is control-plane integrity risk. A vulnerable HTTP client is an ai agent security problem, not just a DevOps problem.

What is CVE-2026-39865 and how does it threaten agent stacks?

CVE-2026-39865 (GHSA-qj83-cq47-w5f8) is a denial-of-service vulnerability in Axios HTTP/2 session cleanup logic that allows an attacker-controlled server to repeatedly crash the HTTP connector. The patch ships in Axios version 1.13.2 — any agent stack running an earlier version on Node.js with HTTP/2 outbound traffic is exposed.

On a CVSS scale, this is a medium severity finding. In an isolated web service, that rating is arguably fair. But agent stacks add two dynamics that break the standard CIA model: safety controls are tightly coupled to connector liveness, and autonomous retry logic will automatically replay the failure without human pause.

What is the trust boundary that availability attacks actually target?

The boundary that matters here is: untrusted endpoint behavior reaching agent process availability. If an attacker-controlled server can force repeated connector crashes, the attack surface extends far beyond a simple service outage.

An attacker exploiting this boundary can:

No jailbreak prompt required. No remote code execution needed. Just strategic control of network-side lifecycle behavior against a vulnerable client path. This is the core insight of boundary-first agent security: the attack does not have to enter the model to compromise the agent's behavior.

Availability is not the opposite of security in agent systems. It is one of its hardest foundations — because when the runtime goes down, the safety controls go with it.

Why does a medium DoS CVE become a high LLM vulnerability in production?

Security programs rank issues by classic CIA impact and privilege boundaries. Availability-only findings are deprioritized, especially when exploit complexity is high. Two dynamics flip this calculus for agent stacks:

Tight coupling of safety and liveness. If the worker crashes before or during a validation or approval checkpoint, safety controls degrade operationally even if the code is "secure by design." The checkpoint never ran. The state never persisted. The downstream agent never got the policy signal it was waiting for.

Autonomous retries amplify the attack. Agent orchestrators are built to recover automatically. Without guardrails on the retry path, the recovery logic repeatedly re-hits the hostile endpoint and self-sustains the failure mode. The agent is not being "hacked" in the traditional sense — it is executing exactly as designed, inside a failure environment the attacker controls.

This is how medium CVEs become high operational risk in real environments. A three-axis scoring model helps surface this more clearly than CVSS alone:

Scoring Axis What It Measures CVE-2026-39865 Score
Execution adjacency Can the flaw influence command execution, tool dispatch, or outputs agents trust? HIGH — connector crash during tool call = null tool output consumed downstream
Autonomy amplification Will retry loops or chained jobs magnify impact without human pause? HIGH — agent retry loops re-hit hostile endpoint automatically
Trust-provenance fallout Could downstream systems consume compromised artifacts as trusted? MEDIUM — stale task state may propagate to dependent agents

Even at medium CVSS, high scores on execution adjacency and autonomy amplification should move this into urgent response queues for agent infrastructure. Standard vulnerability triage that only uses CVSS plus package popularity will miss this blast radius entirely.

How does an availability attack against an AI agent actually unfold?

The attack flow is simpler than most teams expect. An adversary provisions or compromises a server that the target agent fetches from — a retrieval endpoint, a tool API, an MCP server, a webhook destination. That server then exploits the HTTP/2 session cleanup bug in Axios to force a connector crash on every connection attempt.

The agent's orchestrator sees the crash as a transient network error. It retries. The connector crashes again. If the crash window overlaps with a policy evaluation call — say, the agent fetching an approval token or a guardrail verdict — that call returns null or errors out. The agent's error handling may treat this as "proceed with default" rather than "halt and escalate." The safety check is operationally bypassed.

The most dangerous agent security failures are not the ones that look like attacks. They are the ones that look like ordinary network errors — until you correlate the crash pattern to the authority that triggered it.

How do I detect an availability attack against my AI agent?

Behavioral detection is the right layer here — content-signature scanning will not catch this because there is no malicious payload in the requests. Instead, monitor for three correlated signals:

When all three signals co-occur, the probability of a targeted availability attack rises sharply versus random network instability. Here is what a Sunglasses detection call looks like for this pattern:

python — availability attack detection 
from sunglasses import engine

# Scan agent runtime logs for availability-attack signatures
result = engine.scan(
    text=agent_runtime_log,
    context="agent_runtime",
    categories=[
        "tool_chain_race",         # GLS-TCR-* — connector crash during tool call
        "retrieval_poisoning",     # GLS-RP-* — hostile endpoint manipulation
        "policy_scope_redefinition" # GLS-PSR-001 — safety checkpoint bypass
    ]
)

if result.findings:
    for f in result.findings:
        print(f"[{f.severity}] {f.pattern_id}: {f.description}")
    # Trigger: quarantine authority, alert operator, hold agent task

Sunglasses v0.2.31 ships 507 patterns across 54 categories, including the policy_scope_redefinition category (GLS-PSR-001) added specifically to catch governance and checkpoint bypass patterns of this type.

What should defenders do right now to harden agent HTTP clients?

Five concrete hardening steps for any team running agents with outbound HTTP:

  1. Pin connector libraries as control-plane dependencies. For Node.js stacks using Axios, enforce >=1.13.2 in your package lockfile and block CI/CD deploys that regress below this version. Treat HTTP client version as a security control, not a preference.
  2. Add failure-signature detection, not just payload detection. Monitor for repeated worker restarts correlated to HTTP/2 connector traffic and repeated authority patterns across crash windows. This will not appear in your WAF logs.
  3. Gate untrusted outbound destinations. Not every agent needs arbitrary fetch access. Introduce tiered destination policies: trusted vendor APIs (allowlisted), monitored third-party domains (audited), unknown hosts (blocked by default). Agents should only reach endpoints they have been explicitly granted access to.
  4. Build safe retry semantics. Retries should include exponential backoff, per-authority failure budgets, and auto-quarantine after threshold breaches. An agent that retries without these controls is a DoS amplifier that works against itself.
  5. Decouple safety checkpoints from single worker process life. If one process crash wipes policy context or approval evidence, the design is brittle. Persist safety state out-of-process so a connector crash cannot silently invalidate a checkpoint.

Why does agent runtime security require more than prompt injection defense?

Prompt injection gets the headlines, but agent compromise frequently starts earlier in the lifecycle — inside repositories, workflow files, dependency boundaries, and transport behavior. Teams that secure only the prompt layer will underestimate where control is actually lost.

The CVE-2026-39865 case illustrates a class of attack that is entirely invisible to prompt-layer defenses. No text was injected. No jailbreak was attempted. The attack surface was the HTTP client version and the retry behavior — two things that live entirely outside the model's context window. This is what ai agent hardening looks like in practice: closing the gaps the model never sees.

What is the right scoring model for LLM vulnerabilities in agent stacks?

Standard CVSS scoring misses agent-specific blast radius because it does not account for orchestration dynamics. A better model for agent stacks adds three axes to the standard severity calculation: execution adjacency, autonomy amplification, and trust-provenance fallout (defined in the table above).

Even when a CVE is rated medium, a high score on execution adjacency and autonomy amplification should move it into urgent response queues for agent infrastructure. Build this triage model into your vulnerability management process before the next medium-rated connector bug drops — because this class of finding will appear again.

The future breach report we should expect is not always "model manipulated by prompt." It may be: "automation became unsafe because the runtime could be repeatedly destabilized by hostile network peers."

How does Sunglasses detect and block HTTP client availability attacks?

Sunglasses operates as an always-on filter ahead of the agent — scanning everything the agent reads before the agent reads it, at the speed of pattern matching. In scanner mode, it identifies vulnerable dependency boundaries in agent repositories before deployment, flagging connector versions known to be exploitable in availability-attack scenarios.

In filter/runtime mode, Sunglasses correlates behavioral indicators — crash loops, endpoint patterns, retry storms — and triggers policy responses in real time. The 507 patterns in v0.2.31 span 49 categories including tool_chain_race, retrieval_poisoning, and the newly shipped policy_scope_redefinition category. All patterns are open-source on GitHub.

What is the strategic takeaway for AI agent security teams?

The winning security posture for agent stacks is boundary-first: secure how data moves from untrusted source to execution-adjacent context, then to trusted outputs consumed by autonomous systems. Prompt injection defense is necessary but incomplete. Transport robustness, connector version governance, retry safety, and safety-state persistence are equally load-bearing.

Teams that build this architecture catch CVE-2026-39865-class bugs before they reach production. Teams that do not will find them in post-incident reports — after an availability window quietly turned off their agents' safety checkpoints.

Explore the full Sunglasses thesis, check the how it works page, or run the open-source scanner against your own agent repo today.

Implementation checklist for operationalizing this quarter

Concrete actions for agent security and SRE teams responding to CVE-2026-39865 and this class of availability attack:

  1. Audit all Node.js agent services: identify any using Axios below v1.13.2 for HTTP/2 outbound calls and emergency-patch immediately
  2. Add "control-plane liveness incidents" as a security event category in your incident management system — not just an SRE event
  3. Require safe retry semantics (exponential backoff + per-authority failure budgets) in agent framework defaults
  4. Maintain a boundary map: untrusted input surfaces, execution-adjacent sinks, and persistent trust outputs that downstream agents consume
  5. Block autonomous release promotion if connector library versions changed without provenance review
  6. Wire Sunglasses scanner into pre-deploy CI gate to catch connector version regressions before they reach production agents