The accelerating pace of AI integration into everyday applications has created new potential threats, and a recent discovery has revealed a particularly serious one tied to Microsoft’s AI agent framework. Called NLWeb, this system was unveiled during Microsoft’s Build 2025 conference as a new way to help AI agents communicate with websites using a natural language-driven markup format—essentially, a kind of HTML designed for artificial intelligence. Microsoft has not officially confirmed whether its experimental Copilot Mode in the Edge browser uses NLWeb, but the technologies appear to be closely related.
Security researcher Aonan Guan recently found a major vulnerability in NLWeb: a path traversal flaw that enables attackers to craft malformed URLs that allow access to sensitive files on the host system. In practical terms, that means attackers could use AI agents to bypass security restrictions and download configuration files, login credentials, or cloud API keys. In Guan’s proof-of-concept test, he was able to extract key files containing system passwords and access tokens for cloud-based AI platforms such as Google Gemini and OpenAI, effectively allowing an unauthorized party to use these services without incurring costs.
Guan disclosed the vulnerability to Microsoft, and the company issued a quiet fix to the public NLWeb GitHub repository in June, although it has not released an official security advisory acknowledging the issue. Fortunately, the update does not require users to take any additional action, as the fix applies to the codebase directly. Still, the incident highlights a broader concern: as AI agents gain more autonomy and interact directly with systems and data, the risk of unintended consequences grows significantly.
The root issue, as Guan explains, is the way natural language is interpreted as commands by AI systems like those using NLWeb. Because these agents are designed to act on human-like instructions, a cleverly worded prompt could be enough to trigger unintended file access or harmful operations. This potential for “prompt injection” isn’t new, but the scale and ease of exploitation in this case are alarming. We’ve already seen how seemingly private ChatGPT conversations were indexed by search engines due to improperly set metadata. With Microsoft’s Copilot pushing further into the Windows ecosystem, the importance of designing secure, tightly controlled AI interfaces is clearer than ever. As these systems continue to blur the line between user input and system execution, AI developers will need to be more vigilant in closing the security gaps they open.