This was quickly fixed and revealed as ‘CVE-2026-34219’ with credit to the team. The broader concern, however, was to separate the actual errors of the agents from those they confidently posed as such.
“The surprise was how little work was done to find them and how much was spent distinguishing real errors from those that simply looked real,” wrote Nikos Baxevanis, author of the publication.
The difficulty began with what an agent produces. A fuzzer, the standard tool that throws malformed data into software until something breaks, returned a bug and a record of where it occurred, which an engineer can confirm in minutes.
An agent, however, returns a created narrative. It traces how the flaw was reached, argues why it is important, proposes a severity rating, and provides working code that demonstrates the attack. It all comes in fluid prose, reading the same thing whether the mistake is real or made up.
According to the Foundation, three types of false positives are repeated.
The first was a bug that only occurs in a trial version, where the compiler enables security checks that the shipped software does not include, so nothing breaks for real users.
The second was an attack that only works if the dangerous value is manually placed within the program, because every path an outsider could take to deliver it rejects the value first. The third came from formal verification, the practice of mathematically proving that code behaves correctly, where a test passed proving something trivially true and told reviewers nothing about the software.




