Developer proposes AVE to replace CVE for AI agents
Key insights
- Over 40 MCP CVEs were filed in 2026 against major AI implementations including Anthropic's reference servers and LiteLLM.
- The proposed AIVSS scoring system would rate AI vulnerabilities on axes like autonomy level and human oversight bypass potential.
- CVE cannot encode whether a flaw is exploitable only under agentic orchestration or tool-call chaining, a critical triage gap.
Why this matters
AI agent frameworks like MCP are accumulating CVEs faster than the security community has tooling or taxonomy to process them, meaning triage, patching, and disclosure workflows built on CVSS scores are producing misleading severity signals for agentic systems. Founders and platform teams building on LiteLLM, Windsurf, or any MCP-compatible orchestration layer are currently operating without a standardized way to communicate vulnerability impact to customers or regulators. If a purpose-built taxonomy like AVE gains traction before an official standards body acts, it could bifurcate the vulnerability database ecosystem and force vendors into dual-compliance obligations across CVE and AVE registries simultaneously.
Summary
The CVE framework was built for software vulnerabilities with fixed codebases and static attack surfaces. AI agents break every assumption it relies on, and 40+ MCP CVEs filed in 2026 against Anthropic's reference servers, LiteLLM, Bisheng, and Windsurf are exposing the gap in real time.
A developer citing three specific MCP CVEs (2025-49596, 2025-68143, 2026-30615) argues that a CVE ID alone cannot capture attack class, agentic-context severity, or detection guidance for systems where the vulnerability isn't a static bug but an emergent behavior shaped by model, tool chain, and prompt context. The post proposes AVE (AI Vulnerability Enumeration) as a purpose-built taxonomy, paired with AIVSS as an AI-specific severity scoring system analogous to CVSS.
Essentially: (Anthropic, LiteLLM, Windsurf) are absorbing MCP CVEs under a classification system that wasn't designed for agentic attack surfaces.
- CVE cannot express whether a vulnerability is exploitable only under agentic orchestration, through tool-call chaining, or via prompt injection, distinctions that matter for triage and patching priority.
- AIVSS would score vulnerabilities on axes like autonomy level, tool access scope, and human oversight bypass potential, none of which CVSS captures.
- Community pushback centers on fragmentation risk: a forked taxonomy means split tooling, split databases, and split vendor compliance obligations.
If MCP-style protocols become the connective tissue of enterprise AI stacks, the absence of a shared vulnerability language will make coordinated disclosure and patch response significantly harder across the ecosystem.
Potential risks and opportunities
Risks
- Anthropic and LiteLLM face enterprise customer audits where CVSS-scored MCP CVEs systematically understate agentic severity, creating liability exposure if a breach follows a low-scored but high-autonomy-context flaw.
- Windsurf and Bisheng users operating in regulated industries (finance, healthcare) may face compliance findings if regulators begin treating MCP CVEs as material disclosures without a standardized severity framework to reference.
- If AVE forks from CVE without institutional backing, vulnerability scanner vendors (Tenable, Qualys, Rapid7) may delay support, leaving agentic AI deployments with no automated coverage for the new taxonomy for 12-24 months.
Opportunities
- AI security vendors with agent-specific tooling (Protect AI, Pillar Security, Invariant Labs) can position AIVSS-aligned scoring as a differentiator in enterprise sales cycles where MCP CVE volume is already a procurement concern.
- MITRE or NIST sponsorship of an official AI vulnerability taxonomy would give whichever organization moves first significant influence over how the entire agentic AI security market is structured.
- Managed security service providers (MSSPs) with AI practice areas can offer AVE/AIVSS-mapped advisory services as a bridge product while the standards landscape settles, capturing budget that currently has no clear owner.
What we don't know yet
- Whether MITRE or NIST has any active working group evaluating CVE/CVSS adequacy for agentic AI systems as of mid-2026.
- Which of the 40+ MCP CVEs filed in 2026 have been patched, and whether affected implementations (Bisheng, Windsurf) have published disclosure timelines.
- Whether the AVE/AIVSS proposal has been submitted to any standards body or remains an informal community draft with no governance structure.
Originally reported by Reddit
Read the original article →Original headline: r/cybersecurity: Developer Argues CVE Framework Fundamentally Fails for AI Agents, Proposes AVE (AI Vulnerability Enumeration) Taxonomy With Dedicated AIVSS Risk Scoring