AG-UI Stream Hijacking / Event Manipulation
Description#
AG-UI uses Server-Sent Events (SSE) or WebSocket streams for real-time communication between agents and frontends. The AG-UI specification does not define message-level authentication or integrity checks on individual SSE events, creating an inferred MitM attack surface. An adversary who can intercept or inject into the event stream (e.g. via a compromised reverse proxy, API gateway, or TLS-terminating CDN layer) could alter text deltas, inject fabricated tool calls, or suppress agent warnings before they reach the user. Because SSE is a text-based protocol, any middleware in the path can modify events transparently. No public exploit has been demonstrated; this scenario models the structural risk.
References#
Microsoft documentation on AG-UI security considerations including output rendering and transport trust boundaries
DataCamp overview of AG-UI SSE event streaming architecture and protocol mechanics
Framework Mappings#
Attack Structure#
Message Flow#
Indicators · match any#
YAML#
oatf: "0.1"
attack:
id: OATF-033
name: "AG-UI Stream Hijacking / Event Manipulation"
version: 1
status: draft
created: 2026-03-18
author: "Oleg Mukhin"
description: |
AG-UI uses Server-Sent Events (SSE) or WebSocket streams for real-time
communication between agents and frontends. The AG-UI specification does
not define message-level authentication or integrity checks on individual
SSE events, creating an inferred MitM attack surface. An adversary who can
intercept or inject into the event stream (e.g. via a compromised reverse
proxy, API gateway, or TLS-terminating CDN layer) could alter text deltas,
inject fabricated tool calls, or suppress agent warnings before they reach
the user. Because SSE is a text-based protocol, any middleware in the path
can modify events transparently. No public exploit has been demonstrated;
this scenario models the structural risk.