## McKinsey Agents-at-Scale Ark Project Exposed by High-Severity HTTP/2 Vulnerability CVE-2026-33814
A JFrog Xray security scan has flagged a high-severity vulnerability in McKinsey's "agents-at-scale-ark" repository, exposing a critical flaw in the project's Go networking dependencies. The detected vulnerability, CVE-2026-33814, affects golang.org/x/net version 0.52.0 and centers on HTTP/2 protocol handling—a core transport layer for modern distributed systems.

The vulnerability triggers when processing HTTP/2 SETTINGS frames: if the transport receives a SETTINGS_MAX_FRAME_SIZE parameter set to zero, it enters an infinite loop of writing CONTINUATION frames. This creates a denial-of-service vector that could be exploited by any actor able to send crafted HTTP/2 requests to the affected service. The scan identified the issue in build 7236, tied to commit 732292c7708ed5a54d34b463ffc911c29151abb4 on the 2105/merge branch, with Xray violation ID XRAY-979063 flagging the component for immediate review.

The exposure raises questions about dependency hygiene in McKinsey's AI infrastructure tooling. The agents-at-scale-ark project, positioned as enterprise-grade agent orchestration, now carries a known DoS-enabling flaw in its networking stack. While the vulnerability requires specific conditions to trigger, HTTP/2 is ubiquitous in cloud-native deployments, and the attack surface extends to any service endpoint accepting external connections. The project maintainers will need to assess whether the affected component is reachable in production configurations and apply patches or whitelist the finding with documented risk acceptance.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-33814, HTTP/2, golang, security vulnerability, denial-of-service
- **Credibility**: unverified
- **Published**: 2026-05-09 04:02:04
- **ID**: 80973
- **URL**: https://whisperx.ai/en/intel/80973