Critical Security Flaw Exposes Microsoft’s NLWeb AI Protocol: What Happened, Who Is Impacted, and What Comes Next

The Agentic Web’s First Stumble

Just months after Microsoft’s Build conference spotlighted NLWeb—a new “HTML for the Agentic Web” protocol designed to enable ChatGPT-like AI search for any website or app—a severe security flaw has been discovered, calling into question the company’s claims of a security-first approach to AI product design.

NLWeb quickly gained traction among high-profile pilot customers such as Shopify, Snowflake, and TripAdvisor. The discovery of an easily exploitable flaw that enabled remote attackers to read sensitive files—including configuration data and precious AI model API keys—underscores the imperative to balance innovation with robust security safeguards as AI agents become foundational to modern web infrastructure.

The Flaw: A Textbook Path Traversal Vulnerability

As reported by The Verge, security researchers Aonan Guan and Lei Wang independently reported that NLWeb’s reference implementation contained a path traversal vulnerability: a classic issue where an attacker can tamper with URLs to access files outside intended directories. By simply crafting a malformed URL, remote, unauthenticated users could extract secrets such as environment files (.env) and API credentials for large language models like OpenAI’s GPT-4 or Gemini.

Guan, a senior cloud security engineer at Wyze (acting independently), described the risk as “catastrophic” for any AI-driven system:

“These files contain API keys for LLMs like GPT-4, which are the agent’s cognitive engine. An attacker doesn’t just steal a credential; they steal the agent’s ability to think, reason, and act, potentially leading to massive financial loss from API abuse or the creation of a malicious clone.”

Timeline: From Discovery to Patch

Here’s how the situation unfolded:

• May 2025: Guan and Wang report the path traversal vulnerability to Microsoft, just weeks after NLWeb’s public debut at Build.

• July 1, 2025: Microsoft issues an out-of-band security update to patch the flaw; however, the company declines to assign a CVE (Common Vulnerabilities and Exposures) identifier, breaking with routine industry practices for responsible disclosure and transparency.

• August 2025: Security blogs and news outlets reveal the breach in detail, warning that NLWeb deployments not updated since July 1 remain exposed.

Impact and Risks: Who Is Affected?

While Microsoft asserts that its own products do not use the impacted open-source code, the company’s statement admits that anyone deploying NLWeb from its repository is potentially at risk:

“This issue was responsibly reported and we have updated the open-source repository. Microsoft does not use the impacted code in any of our products. Customers using the repository are automatically protected.” — Microsoft spokesperson Ben Hope to The Verge

Nevertheless, the responsibility for patching still falls squarely on users who must rebuild and redeploy NLWeb instances to remain secure—otherwise, their environments may allow “unauthenticated reading of .env files containing API keys” and other sensitive information.

Potential Consequences

• Credentials Exposed: Stolen API keys can be used to hijack the entire AI agent, potentially leading to costly model abuse and service disruption.

• Supply Chain Risks: Third-party platforms adopting NLWeb, such as Shopify or TripAdvisor, could inadvertently expose a broad spectrum of user-facing services.

• AI Poisoning: Attackers could clone or manipulate AI agents, opening new vectors for fraud, disinformation, and data breaches.

Why Was Such a Simple Flaw Missed?

The flaw’s presence—a basic security oversight long known to developers—raises questions about Microsoft’s internal security review processes, especially given the company’s much-vaunted “security-first” approach following high-profile attacks in previous years. Critics and researchers note that while innovation accelerates, security considerations cannot lag behind:

“This case study serves as a critical reminder that as we build new AI-powered systems, we must re-evaluate the impact of classic vulnerabilities, which now have the potential to compromise not just servers, but the ‘brains’ of AI agents themselves.” — Aonan Guan

The Missing CVE

A major sticking point has been Microsoft’s reluctance to issue a CVE. CVEs allow vulnerabilities to be tracked and managed in a standardized way, ensuring that security teams and enterprise customers receive clear, actionable alerts. The absence of a CVE for this incident means that some organizations may remain unaware of the risk, despite the patch being available in the public repository.

Model Context Protocol (MCP) Also Under Scrutiny

NLWeb isn’t alone in facing scrutiny. As Microsoft expands its Model Context Protocol (MCP) for Windows—designed to let AI agents access context and tools across an operating system—security researchers have warned of similar risks, ranging from data leaks to rogue tool chaining and insufficient authentication. Vigilance in development and prompt, transparent security responses are critical, especially as enterprises deploy increasingly autonomous AI agents.

Lessons for the Future of AI-Powered Platforms

• Patch Promptly: All users of NLWeb must immediately update and redeploy to eliminate the vulnerability.

• Demand Transparency: Security disclosures must be standardized, with CVE assignments for all critical vulnerabilities, no matter how new or narrow the technology.

• Balance Speed and Security: Rapid feature development should not outpace basic secure coding practices, particularly for protocols underpinning the next generation of the web.

• Learn from the Past: Classic web security lessons remain vital even as platforms become more intelligent and complex.

Microsoft’s public embrace of open-source AI tools is a bold bet, but this episode highlights how foundational security will dictate the pace and safety of AI’s integration into everyday digital experiences. Enterprises, developers, and end-users alike must be vigilant as the “Agentic Web” continues to evolve.

If you use NLWeb, check your deployments now—and stay tuned to msftnewsnow.com for ongoing security updates and AI protocol insights.