TLP:CLEAR — Security Research Brief · Browser Automation & LLM Data Exposure June 2026  ·  Security Research / Agentic AI Systems  ·  Sources verified

Security Research / Agentic AI Systems — Primary Finding

Your passwords are in the LLM's context window.

Browser automation tools that drive AI agents send page DOM, accessibility trees, and screenshots to cloud LLM APIs — and without deliberate mitigations, sensitive form fields including passwords, session tokens, SSNs, and credit card numbers travel with them.

Vulnerabilities found across 8 browser agents (arXiv 2512.07725)
30
CVEs issued for agentic browser data exposure, 2025
3
AI security incidents, 2023→2024 (Stanford HAI)
+56.4%
SECTION 01 / WHAT GETS SENT

The three data streams that reach your LLM provider

Every action step in a browser agent involves at least one — and often all three — of the following representations of the current page state being serialized into the LLM prompt:

Data streamContentsSensitive data riskDefault behavior
Accessibility tree snapshot Role, name, state, and description of every DOM element: textboxes, labels, buttons, current values Critical — password field labels and values appear verbatim Sent on every step unless filtered
Screenshot (vision mode) Full-page image, processed by vision-capable model via OCR-equivalent interpretation Critical — anything visible on screen, including autofilled credentials Enabled by default when use_vision=True
Raw DOM / page text Semantic text extracted from page, potentially including hidden elements High — hidden form field values, data attributes, inline JS variables Used as fallback or enrichment

A single Amazon product page generates 100,000–150,000 tokens of raw HTML; accessibility-tree pruning reduces this to a workable size while still preserving the semantic structure that includes all form field states. The arXiv paper Building Browser Agents: Architecture, Security, and Practical Solutions (2511.19477) confirms that "form field contents — potentially including passwords — are transmitted within accessibility tree snapshots sent to the LLM" and treats snapshot filtering as a mitigation, not a default.

# What the LLM actually sees in an unmitigated browser-use step:
ref=12 textbox 'Email' value='[email protected]' focusable
ref=13 textbox 'Password' value='hunter2!' type=password focusable
ref=14 checkbox 'Remember me' checked
ref=15 button 'Sign in'

# This snapshot is serialized into the API request body
# and transmitted to Anthropic, OpenAI, or whichever provider handles the step.

— Terminal trace: unmitigated browser-use serialized accessibility snapshot

The Brave Security Blog (Unseeable Prompt Injections in Screenshots, Oct 2025) documents the screenshot vector in detail: both Perplexity Comet and the Fellou browser were found to transmit extracted screenshot text "to the LLM without distinguishing it from the user's query" — meaning visible page content overrides the trust boundary entirely.

SECTION 02 / KNOWN INCIDENTS & CVEs

Disclosed vulnerabilities and confirmed data-exposure events

Microsoft 365 Copilot — EchoLeak CVE-2025-32711 · Critical
Title Zero-click email exfiltration via AI inbox summarizer
Detail Disclosed June 2025. An attacker sends a specially crafted email containing hidden LLM instructions. When the recipient asks Copilot to summarize their inbox, the agent silently exfiltrates sensitive documents to an external attacker-controlled server — no user interaction beyond opening the AI assistant required. This is the most direct documented case of browser-adjacent AI processing leaking sensitive data: the mechanism is the LLM consuming untrusted content and acting on embedded instructions, the exact risk model that applies to all browser agents.CRITICAL
Cursor IDE — CurXecute CVE-2025-54135 · Critical
Title Remote code execution via prompt injection in README
Detail CVSS 9.8. Attackers hide malicious prompts inside a repository's README. When a developer opens the project in Cursor, the AI coding assistant executes arbitrary commands on their machine. Demonstrates the prompt injection surface extends to any content the LLM agent consumes — not just web pages.CRITICAL
LangChain Core CVE-2025-68664 · Critical
Title Deserialization flaw allows environment variable exfiltration
Detail CVSS 9.3. LangChain's dumps() and dumpd() serialization functions fail to escape user-controlled dictionaries with 'lc' keys, allowing attackers to instantiate arbitrary objects within trusted namespaces. A crafted LLM response can trigger exfiltration of environment variables — including API keys and credentials stored in .env files. Fixed in versions 1.2.5 and 0.3.81.CRITICAL
browser-use/web-ui v1.3 CWE-918 / No CVE · High
Title SSRF in Base URL field leaks LLM API keys via request headers
Detail Reported on GitHub (issue #168). The web-ui interface passes an unvalidated Base URL to the agent. Setting it to an attacker-controlled webhook endpoint causes the agent to make an authorized request to that URL — with the LLM API key from .env transmitted in request headers. Affects all v1.3 deployments. No patch merged as of disclosure.HIGH
Perplexity Comet No CVE — Oct 2025 · High
Title Unseeable screenshot prompt injection exfiltrates session data
Detail Attackers embed instructions in "faint light blue text on yellow background" — invisible to humans but extracted by the browser's OCR pipeline and passed to the LLM. The LLM then executes the injected commands using its browser tools, operating on the user's authenticated session. Responsible disclosure Oct 1–21, 2025.HIGH
Agentic Browsers (general) No CVE — Feb 2025 · High
Title Zero-interaction data leakage from GitHub page hidden instructions
Detail Wiz Research documented a case where hidden instructions on a GitHub page commanded an AI browser agent to "leak private data without user input." The agent complied, transmitting data from the authenticated session to an external endpoint.HIGH
browser-use GitHub Issue #1062 · Medium
Title sensitive_data parameter fails silently — plaintext credentials reach LLM
Detail A confirmed bug: when credentials are provided via the sensitive_data parameter with GPT-4 and GPT-4 Mini, the agent inserts the literal placeholder keys (x_password) rather than the actual values into form fields. This means the substitution mechanism silently fails and — depending on how the agent recovers — may pass actual credential values into the LLM context on retry. Bug label applied; unresolved as of report date.MEDIUM
SECTION 03 / RESEARCH COMMUNITY POSITION

What the academic and security communities have established

"Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully 'solved.'"

— OpenAI, responding to disclosure of AI browser vulnerabilities, TechCrunch Dec 2025

The research community has converged on browser-based AI agents as a distinct and serious threat class. Key academic work:

arXiv:2512.07725 — Privacy Practices of Browser Agents

  • Ukani, Haddadi, Shamsabadi, Snyder: Systematic evaluation of eight popular browser agents found 30 vulnerabilities, including disabled browser privacy features and agents that autocomplete sensitive personal information in form fields. Responsible disclosure conducted with all eight projects.

arXiv:2507.14799 — Manipulating LLM Web Agents via HTML Accessibility Tree

  • Demonstrates that adversarial triggers embedded in the accessibility tree — the very data structure browser agents use to understand pages — can achieve high success rates on real websites for targeted attacks including login credential exfiltration. Uses the Greedy Coordinate Gradient (GCG) algorithm; tested on Llama-3.1-powered agents in BrowserGym.

arXiv:2510.09093 — Exploiting Web Search Tools of AI Agents for Data Exfiltration

  • Documents how indirect prompt injection through web search results allows an attacker to exfiltrate data the agent has in context — including any sensitive data retrieved earlier in the session — by causing the agent to construct a crafted outbound request.

arXiv:2603.07557 — AgentRaft: Automated Detection of Data Over-Exposure in LLM Agents

  • Proposes static + runtime analysis to detect cross-tool data flows where agents pass sensitive data retrieved from one tool (a database, a web page) into another tool's inputs without sanitization. Covers PII, financial data, credentials, and medical records.

arXiv:2604.03070 — Credential Leakage in LLM Agent Skills

  • Empirical study of agent skill repositories finding credential leakage through hardcoded secrets in skill code, information disclosure in error messages, and unprotected configuration files — across OpenAI function calling, Anthropic's skills system, and the MCP framework.

Palo Alto Networks Unit 42

  • Documented indirect prompt injection "observed in the wild" using 22 distinct payload delivery techniques, including zero-sizing (font-size: 0px), off-screen positioning, and XML/SVG CDATA encapsulation — all designed to be invisible to humans but readable by agents scraping DOM content.
Standard

OWASP lists LLM02:2025 Sensitive Information Disclosure as a top-ten risk, specifically calling out agents that include unredacted PII, credentials, and financial data in LLM context. The OWASP AI Agent Security Cheat Sheet recommends automatic detection and redaction of SSN, credit card, and credential patterns before context is assembled — but notes most production deployments do not implement this.

SECTION 04 / HOW browser-use MITIGATES

The sensitive_data mechanism: design intent vs. confirmed gaps

browser-use is the dominant open-source framework for Playwright-based AI agents. It ships a sensitive_data parameter specifically designed to prevent credentials from reaching the LLM. The design is sound in principle:

# Intended flow with sensitive_data:
agent = Agent(
  task="Log in to GitHub",
  sensitive_data={
    "x_user": "myusername",
    "x_pass": "mypassword"
  },
  use_vision=False   # required — vision leaks screenshot
)

# LLM sees only: x_user and x_pass (placeholders)
# Real values are injected post-LLM via Chrome DevTools Protocol

— Terminal: intended browser-use sensitive_data flow

The security model is: LLM plans and generates the action sequence using placeholder tokens, then a local layer resolves placeholders to real values and performs DOM injection — so real credentials never enter any API request. The SECURITY.md additionally recommends allowed_domains to prevent the agent from navigating to attacker-controlled pages and resolving credentials there.

04·B

Confirmed gaps as of June 2026

Critical

GitHub Issue #1062 (open, unresolved): With OpenAI models, sensitive_data fails silently — the agent inserts literal placeholder keys into form fields rather than resolved values. The recovery path may pass actual credentials into the LLM on retry.

Critical

Vision mode enabled by default: Screenshots sent to vision-capable models include anything visible — autofilled usernames, error messages with account numbers, session data displayed on-screen. Must be explicitly disabled.

Warning

No allowed_domains = no guard: SECURITY.md warns that sensitive_data without allowed_domains "does not stop navigation by itself" — an agent can be injected into navigating to a phishing page and resolving credentials there.

Note

Telemetry: browser-use collects tool usage, session duration, and model information by default. URL content and page content are stated as not collected, but this is a policy claim rather than an architectural one.

SECTION 05 / MITIGATIONS

What actually reduces the risk

Ranked by effectiveness, based on current research consensus:

1 — Never pass credentials through the LLM context at all. Use a local credential injection layer (1Password's Secure Agentic Autofill, Vaultwarden + Cerberus KeyRouter, or equivalent) that intercepts placeholder tokens and resolves them via CDP without the LLM ever seeing real values. This is an architectural mitigation — the only one that eliminates the root cause.

2 — Set use_vision=False whenever the task involves any authenticated session or page that displays account-level data. Screenshot-based leakage is invisible to the user and hard to detect after the fact.

3 — Always configure Browser(allowed_domains=[...]) when using sensitive_data. Without it, the credential scope is unbounded and prompt injection can redirect credential delivery.

4 — Prefer storage_state='./auth.json' (cookie-based auth) over password-based login flows. This eliminates the credential-in-context problem entirely for sites that support it.

5 — Implement pre-LLM context sanitization: scan the accessibility tree snapshot for patterns matching [type=password], SSN regex (\d{3}-\d{2}-\d{4}), and card numbers before assembling the LLM payload. OWASP recommends full redaction to [REDACTED] for restricted-tier data.

6 — Run agents against a dedicated browser profile with no stored passwords, autofill data, or authenticated sessions for services outside the task scope.

7 — Treat LLM API call logs as a sensitive data store. If the API call logs are retained by your provider or your own infrastructure, any unredacted sensitive data that reached the LLM is now in those logs.

8 — For high-sensitivity workflows, run local models (Ollama, llama.cpp) rather than cloud API providers. This keeps sensitive data off third-party infrastructure entirely, though it trades capability.

Sources

browser-use Official Docs: Sensitive Data parameter GitHub Issue #1062 — sensitive_data not working (open bug) GitHub Issue #168 — SSRF leading to LLM API key leakage in web-ui v1.3 DEV.to — "Your AI Agent Knows Your Passwords — Here's How I Fixed It" Wiz Blog — Agentic Browser Security: 2025 Year-End Review Brave Security Blog — Unseeable Prompt Injections in Screenshots TechCrunch — OpenAI says AI browsers may always be vulnerable to prompt injection (Dec 2025) 1Password Blog — Closing the Credential Risk Gap for Browser-Use AI Agents arXiv:2512.07725 — Privacy Practices of Browser Agents arXiv:2511.19477 — Building Browser Agents: Architecture, Security, and Practical Solutions arXiv:2507.14799 — Manipulating LLM Web Agents via HTML Accessibility Tree arXiv:2603.07557 — AgentRaft: Automated Detection of Data Over-Exposure in LLM Agents arXiv:2604.03070 — Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study arXiv:2510.09093 — Exploiting Web Search Tools of AI Agents for Data Exfiltration Palo Alto Unit 42 — Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild Security Affairs — CVE-2025-68664: LangChain Core vulnerability OWASP — LLM01:2025 Prompt Injection OWASP — AI Agent Security Cheat Sheet Browserbeam — Securing AI Browser Agents: Best Practices (2026) University of Tennessee OIT — Agentic AI Browsers and Associated Risks