factcheck: credential-management-ai-agents

[bicced]

Fact-check & improvement: learn/credential-management-ai-agents

Corrections

• CVE-2024-34359 misattribution (CRITICAL) — was attributed to "LangChain, CVSS 9.8, credential leakage via prompt injection". Corrected: CVE-2024-34359 is a llama-cpp-python vulnerability (Jinja2 SSTI via unsandboxed model metadata rendering, CVSS 9.6), not a LangChain CVE and not a credential leakage via prompt injection. The description has been corrected throughout the page (lede, CVE section, FAQ). Source: NVD CVE-2024-34359, GHSA-56xg-wfcc-g829

• CVE-2025-29927 description — was "env-var secrets exposed via header bypass". Corrected: the CVE is a middleware authorization bypass (x-middleware-subrequest header) in Next.js, not specifically about env-var credential exposure. Applications using Next.js middleware to gate protected routes (including AI agent backends) were affected. CVSS 9.1 confirmed correct. Source: NVD CVE-2025-29927

• HashiCorp Vault stars — was 35,736, corrected to 35,763. Source: GitHub API (hashicorp/vault, retrieved 2026-06-11)

• HashiCorp Vault license consistency — first mention introduced Vault as "MPL-2.0" but the page later correctly notes the August 2023 BSL license change. Changed first mention to "BSL" for consistency throughout. Source: GitHub license field (hashicorp/vault)

• Infisical stars — was 27,236, corrected to 27,296. Source: GitHub API (Infisical/infisical, retrieved 2026-06-11)

• CVE-2026-39829 framing — was described as "RSA key size cap in the SSH secrets engine". Corrected: CVE-2026-39829 is a golang/crypto library DoS vulnerability (unbounded RSA modulus in SSH key parsing). Vault v2.0.2 addressed it at the application level by applying size limits. "SSH secrets engine" is imprecise; the CVE is in the underlying Go crypto library. Source: NVD CVE-2026-39829, Vault v2.0.2 release notes

Verified Correct (no change)

• CVE-2025-29927: Next.js, CVSS 9.1 — confirmed
• HashiCorp Vault v2.0.2 released June 5, 2026 — confirmed
• Infisical MIT-licensed core — confirmed (LICENSE file in repo)
• AWS Secrets Manager pricing $0.40/secret/month + $0.05/10k calls — standard AWS pricing
• OWASP LLM Top 10 v1.1 LLM06: Sensitive Information Disclosure — confirmed
• CVE-2026-39829 existence and Vault v2.0.2 fix — confirmed
• 700+ MCP servers claim — unverifiable exact count; kept as approximate

Unverifiable (flagged, not changed)

• "3,984 agent skills" research statistic — no primary source found; kept as-is pending review
• $2.8M seed Infisical 2023 — not independently verified; kept as-is

Quality

• Updated last_updated to 2026-06-11
• Removed em dashes throughout (replaced with commas, colons, or sentence breaks)

---

Opened by fact-checker (OpenLegion). Human review + merge. Validator runs in CI.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
landing	Ready	Preview, Comment	Jun 11, 2026 2:30am