Cross-industryData LeakageChatbotHigh

McKinsey Lilli AI platform database accessed via CodeWall autonomous agent SQL injection

An autonomous AI agent from CodeWall exploited a SQL injection vulnerability in McKinsey's Lilli AI platform. This allowed the agent to gain unauthorized access to the platform's database.

McKinsey · Incident Feb 28, 2026 · Indexed Jun 16, 2026 · 2 sources

An autonomous AI agent found a SQL injection in McKinsey's Lilli AI platform.

Key facts

What
An autonomous AI agent from CodeWall exploited a SQL injection vulnerability in McKinsey's Lilli AI platform.
Incident date
Feb 28, 2026
Who
McKinsey
Failure mode
Data Leakage
AI surface
Chatbot
Severity
High

What happened

CodeWall's autonomous AI penetration testing agent identified a security flaw in McKinsey's internal AI chatbot, Lilli. CodeWall reported that its agent executed a SQL injection attack to gain access to the underlying database. The incident was publicly disclosed by CodeWall on March 9, 2026.

What broke inside the model

Failure path · mode profile · Data Leakage
  1. 01 · TriggerA request triggers retrieval or context loading.
  2. 02 · Model stepThe context pulls in another user's content.
  3. 03 · Control gapNo boundary enforces isolation at the moment of output.
  4. 04 · FailurePrivate data crosses into the response.
  5. 05 · ConsequenceOne user sees another's data, and disclosure follows.

One user's content crosses the retrieval boundary into another's response.

According to CodeWall, the Lilli AI platform did not properly sanitize user inputs, leaving it vulnerable to SQL injection. McKinsey has not publicly confirmed the incident. This allowed an external AI agent to bypass security controls and query the database directly.

What it cost

Public visibilityHigh
Regulatory exposurePossible
Customer impactFew customers
Financial impactUnknown
Time to disclosureDays

Sources

  1. PrimaryHow we hacked McKinsey's AI platformcodewall.ai
  2. PressAI agent hacked McKinsey AI platformoutpost24.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/mckinsey-lilli-platform-database-accessed-via
CitationAI Failure Index. "McKinsey Lilli AI platform database accessed via CodeWall autonomous agent SQL injection" (FI-0547). Realm Labs. https://failureindex.ai/failures/mckinsey-lilli-platform-database-accessed-via (indexed Jun 16, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0547. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

Realm can detect when a response is about to emit data that falls outside the bounds of the current user and context, and block or redact it inline, at the moment of generation rather than after the data has left.

Book a Demo

Related failures

Other records that share this failure mode (Data Leakage) or industry (Cross-industry).

FI-0501Cross-industryMedium
Hallucination

KPMG pulls AI report after organizations dispute claims

KPMG withdrew its "Total Experience: Redefining Excellence in the Age of Agentic AI" report after several organizations stated the claims about their AI usage were untrue. Research by GPTZero revealed that the majority of the report's citations were AI-generated hallucinations.

Confidence
High (multi-source, primary)
KPMG3 sourcesPrimaryPublicJun 2026
FI-0576Cross-industryMedium
Brand & Safety Incident

Reddit ads used deepfake news and cloned sites to promote AI investment scams

Reddit failed to prevent a series of sponsored ads that used deepfakes and cloned websites to impersonate news outlets like the BBC and The Guardian. These ads promoted fraudulent AI investment platforms, targeting users in the US and Europe.

Confidence
High (multi-source, primary)
Reddit3 sourcesPrimaryPublicJun 2026
FI-0502Cross-industryMedium
Hallucination

EY retracts loyalty rewards report after AI hallucinations and fake footnotes discovered

EY withdrew a cybersecurity report on loyalty rewards programs after researchers found it contained fabricated data and non-existent citations. The report was used by EY Canada for marketing purposes but was retracted once the AI-generated errors were exposed.

Confidence
Medium (multi-source)
EY3 sourcesPressPublicMay 2026