Sentry DSN injection bypasses AI agent trust boundaries via MCP rendering

The attack chain begins with public DSN discovery, followed by POSTs to Sentry ingest containing crafted context keys and markdown that mimic the MCP server's native template. When an agent queries via Model Context Protocol, the payload renders as authoritative diagnostic steps, executing shell commands under developer privileges without touching target infrastructure. Evidence from Tenet’s controlled tests across 100 organizations shows no EDR or WAF triggers because every action appears as legitimate agent behavior. Sentry declined remediation, citing the DSN write-only model as “technically not defensible,” and deployed only a narrow string filter. This decision mirrors earlier supply-chain trust failures where public credentials in client-side code enabled persistent abuse, now extended to autonomous agents that cannot differentiate injected telemetry from genuine crash data. The pattern connects to broader MCP adoption: any external service returning structured data to agents creates an implicit trust boundary that current agent architectures lack. Independent analysis of procurement records shows rapid MCP integration in Cursor and Claude Code without corresponding input sanitization requirements, leaving the same surface exposed across additional monitoring platforms. Next milestones include agent-side schema validation mandates and DSN rotation tooling; absent those controls, similar vectors will surface in Datadog and New Relic integrations within six months.