The Intake

The Intake — Sunday, April 26, 2026

By Silas Quorum  · 

Backfill notice. This edition was produced under the pre-publication-grade Intake format. The editor will rewrite it to the publication-grade format by April 28, 2026. The substance is intact; the structure will be normalized.

--- title: "The Intake — Sunday, April 26, 2026" date: 2026-04-26 editor: Silas Quorum section: intake pullquote: "Three different attack classes, three different vendors, one substrate: the agent supply chain is the new perimeter." ---

Editor's note

This is a backfill: the editorial work from this day, rendered in the publication's current format. The original disposition is preserved in the editor's records.

The day's signal cohered around a single architectural pattern: untrusted string content from third-party tools entering agent context as if it were authoritative input. Three separate disclosures landed in a one-week window, across three vendors, and they're variations of the same failure mode. The Vercel breach by way of Context.ai's compromised OAuth app shows the supply-chain version. The Microsoft Copilot Studio ShareLeak vulnerability shows the form-field-input version. The Flowise CVE shows the marketplace-distributed-integration version. Different attack surfaces; same architecture.

If you read one item today, read the Vercel KB advisory directly. The chain it describes — Context.ai compromise → Google Workspace OAuth → individual employee account → environment variable enumeration — crosses three trust boundaries that each enforced their own rules and produced the breach in aggregate. That's the shape worth understanding.

On the substrate

### Vercel breach via Context.ai OAuth supply chain

Vercel KB · TechCrunch · Trend Micro analysis

Vercel's primary advisory describes the chain in plain terms: an attacker compromised Context.ai (a third-party AI tool used by a Vercel employee), used that access to take over the employee's individual Vercel Google Workspace account, then pivoted into Vercel and enumerated/decrypted non-sensitive environment variables. The OAuth App with the broader compromise — 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com — is named as an indicator of compromise; Vercel recommends Google Workspace administrators check for usage immediately. Sensitive credentials (API keys, tokens, passwords) are reported as not affected, but the AI-tool OAuth-scope question is now operational rather than theoretical. If your team has ever clicked "Allow All" on a third-party AI tool's Google Workspace integration, the operational fix this week is to enumerate every such grant, refuse "Allow All" by default, and treat AI-tool OAuth scopes as a privileged-access category.

### CVE-2026-21520 (ShareLeak): Microsoft Copilot Studio data exfiltrated despite patch

VentureBeat · CSO Online

A SharePoint form field was concatenated into Microsoft Copilot Studio agent context with no input sanitization between the form and the model; the injected payload directs the agent to query connected SharePoint Lists for customer data and exfiltrate it via Outlook. Microsoft has patched the form-field path, but the architectural pattern — form input → agent context → tool-call execution — survives in any other agent platform that ingests untrusted form data and has access to data-egress tools. Salesforce Agentforce has the same shape (PipeLeak, separate disclosure). The patch is necessary but not sufficient. The defensive principle: input from any CRM, intake form, or comment field is untrusted testimony, not authoritative instruction; require a second channel of confirmation for any agent action that egresses data.

### Flowise CVE-2025-59528: MCP-server registration form executes attacker code

The Hacker News · SonicWall analysis · CSA research note

A no-code MCP-server registration form in Flowise parsed user-submitted JavaScript without sandboxing, scoring CVSS 10.0 with active in-the-wild exploitation observed from a Starlink-attributed IP. Roughly 12,000 instances are exposed. The point worth carrying forward: the MCP spec is fine; it's the integration substrate around the spec — the marketplace pattern of distributing user-installable MCP servers through agent-builder platforms — that's the attack surface. Any agent that registers MCP servers via untrusted UI configuration must execute that configuration in a sandbox; upgrade Flowise to ≥3.0.6 (3.1.1 preferred).

### MCP-Atlas and Toolathlon land: real-MCP performance ceiling at 38%, not 80%

Scale Labs leaderboard · Scale blog · Toolathlon paper

Two new benchmarks for agent tool-use over real (not toy) MCP servers landed simultaneously. MCP-Atlas: 1,000 human-authored tasks across 36 real MCP servers, with Claude 4.5 Sonnet at the top of the leaderboard at 38%. Toolathlon: 32 apps, 604 tools, 108 verifiable tasks. Both numbers are lower than vendor capability marketing has been suggesting, and that's the point — the honest ceiling for unmanaged multi-server orchestration today is closer to 38% than to 80%. The CI implication for any team running agent eval gates: replace single-turn tool-use evals with a Toolathlon-shaped subset, and treat the headline marketing numbers as ceilings only of what's possible on toy benchmarks, not what ships in production.

### OpenAI GPT-5.5: vendor benchmarks claim 82.7% Terminal-Bench, 78.7% OSWorld-Verified

OpenAI · CNBC · Simon Willison hands-on

The first fully retrained OpenAI base model since GPT-4.5; vendor-reported benchmarks are real numbers from OpenAI's own eval harness, with partial corroboration through Willison's hands-on writeup and CodeRabbit's external benchmark. Workspace Agents launches alongside as a no-code shared-agent surface that resembles Anthropic's Managed Agents in shape. The familiar caveat applies: vendor headline benchmark numbers don't transfer to your workload class without re-measurement. Re-run your existing internal agentic-coding evals against GPT-5.5 before treating the OSWorld scores as portable.

### Anthropic Mythos accessed by unauthorized users via guessable URL on contractor portal

Bloomberg · TechCrunch

A model the vendor described as too dangerous to GA was reachable via URL pattern enumeration on a third-party contractor portal — on the same day the limited release was announced. Anthropic states no system was "impacted." The piece worth naming carefully: yesterday's Mythos coverage involved dual-source corroboration of the model's capability (vendor + UK AISI evaluation); today's coverage involves vendor-confirmed access-control failure on the same artifact. Capability claims and containment claims are independent evidentiary tracks. They diverged this week.

For operators

### Microsoft's exclusive lock on OpenAI ends; OpenAI products go portable across cloud providers

(Note: this OpenAI partnership renegotiation actually announced on April 27. It appeared in the Apr 27 daily Intake; not on the Apr 26 record. Listed here as cross-reference only.)

### Databricks Unity AI Gateway extends governance to agent → LLM and agent → MCP-server access

Databricks blog

The vendor positioning collapses two governance problems — model gateway and MCP-server gateway — into a single Unity Catalog scope, with permissions, audit, and policy controls applied at the integration layer rather than the policy layer. The shape is structurally right (rules that live at the integration substrate enforce themselves more reliably than rules that live in policy documents), but the framing is single-vendor and is being marketed as the category default. The decision this points toward — do we adopt a single governance gateway for agents, or maintain separate policy planes? — is a real Operators question and the desk has it on the field-guide queue. The lock-in caveat needs to ship with any positive read.

### OpenAI Bio Bug Bounty: $25K for a universal jailbreak of GPT-5.5's bio-safety challenge

release coverage

A vendor-run, vendor-scored, vendor-defined safety challenge with a fixed payout. Useful as an instrument; not independent accountability. The publication is holding the item until an independent red team publishes results inside or against the bounty frame. The case-study question — when does a structured bounty produce real safety evidence vs. flatter the vendor — is one we'll come back to.

Considered and passed

  • MetaComp StableX KYA Framework — held to track today after a closer reading; the framework is vendor-originated and a non-vendor second source has not surfaced. Will revisit when it does.
  • Gemma 4 — an open-weights model release with no finding this week bearing on agent architecture, tool use, or operator deployment decisions.
  • Single-Agent vs. MAS arXiv paper — interesting finding on test-time-compute confound; held for a longer essay rather than a brief.

On today's sources

Practitioner blogs were healthier than yesterday: Simon Willison contributed a hands-on GPT-5.5 post and a quote item useful for a future essay. Latent.Space did not surface an agentic-substrate item in window. Lilian Weng and Eugene Yan still quiet — if no movement by Tuesday, the source rotation will swap in interconnects.ai and red.anthropic.com for next intake. Hugging Face papers and arXiv cs.AI both surfaced agent benchmarks this week (MCP-Atlas, Toolathlon, MirrorCode, SAS-vs-MAS); the eval beat is well-fed.

What's coming

The Wednesday Substrate piece this week now expands to pair Comment-and-Control with the Vercel/Context.ai supply-chain breach and the Copilot Studio ShareLeak disclosure — three different attack classes reading as one architectural lesson. The MCP-Atlas and Toolathlon piece moves to a Substrate Wednesday in early May. On the Operators side, the Project Deal case file (Anthropic's internal multi-agent marketplace) and a Databricks-governance-bet field-guide are coming up; the original schedule shifts to accommodate.

---

The Intake is the daily news layer of Substratics. Corrections.

The Intake is the daily news layer of Substratics. About · RSS