An autonomous security agent discovered and exploited critical vulnerabilities in McKinsey's internal AI platform Lilli, exposing 46.5 million chat messages, 728,000 files, and 57,000 employee accounts. CodeWall AI published the technical disclosure on March 9, 2026, following a coordinated disclosure process with McKinsey's security team.
SQL Injection Through JSON Keys Bypassed Standard Protections
The primary vulnerability involved SQL injection via JSON keys in an unprotected API endpoint. According to the disclosure, "The values were safely parameterised, but the JSON keys — the field names — were concatenated directly into SQL." This allowed attackers to inject malicious SQL through JSON field names rather than field values, bypassing standard input validation that only protected field values.
The autonomous security agent exploited this flaw through 15 blind SQL injection iterations, with each database error message progressively revealing the query structure. Total time from reconnaissance to full database access: approximately 2 hours.
46.5 Million Messages and Decades of Proprietary Research Exposed
The breach exposed extensive confidential data:
- 46.5 million chat messages containing client strategy discussions
- 728,000 files including PDFs, spreadsheets, and presentations
- 57,000 employee accounts and organizational structures
- System prompts and AI configurations controlling the platform
- 3.68 million RAG document chunks representing decades of proprietary research
A secondary Insecure Direct Object Reference (IDOR) flaw allowed access to individual employee search histories across the entire system. Over 200 API endpoints were publicly documented, with 22 lacking any authentication requirements.
McKinsey Patched Vulnerabilities Within Hours of Disclosure
CodeWall AI disclosed the vulnerability to McKinsey's security team on March 2, 2026. McKinsey acknowledged and patched all unprotected endpoints the same day. The public disclosure followed seven days later on March 9, allowing time for remediation.
The incident demonstrates both the security risks in enterprise AI deployments and the emerging capability of AI agents to autonomously discover and exploit vulnerabilities. Discussion on Hacker News (73 points, 25 comments) focused on the irony of a top consulting firm having basic security flaws and the effectiveness of AI agents in security research.
Key Takeaways
- An autonomous AI agent discovered and exploited SQL injection vulnerabilities in McKinsey's Lilli platform in approximately 2 hours
- The breach exposed 46.5 million chat messages, 728,000 files, and 57,000 employee accounts containing confidential client information
- The primary flaw involved SQL injection through JSON field names rather than values, bypassing standard input validation
- McKinsey patched all vulnerabilities within hours of disclosure on March 2, 2026, with public disclosure following seven days later
- 22 of over 200 API endpoints lacked any authentication requirements, highlighting systemic security gaps in the enterprise AI platform