Skip to content
OPS-067
← Back to ledger
Holding·last review17 May 2026

For a 5-15 person services agency running Cursor, Windsurf, Claude Code, or any internal agent platform built on the Model Context Protocol on paid-client-work machines, the May 2026 CVE class (Microsoft Security Response Center's CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026, OX Security's MCP STDIO supply-chain advisory, and the Windsurf 1.9544.26 prompt-injection-to-MCP-registration path) cannot be cleared by vendor auto-update alone. A 5-step playbook (inventory every machine; pin the patched version and disable auto-update; write a one-page MCP allowlist; disclose AI-IDE use to active clients in writing; schedule a 30-day review) is the agency-level minimum that holds against the question an enterprise client will ask in procurement and against the residual liability the agency carries if a remediation conversation becomes necessary.

Operators register pillar piece on agency-level response to AI-IDE CVE class. 30-day cadence is aggressive because IDE patches ship weekly and a new framework-layer disclosure inside the review window is plausible. Triggers: published vendor benchmark showing tool-configuration enforcement at default in the named IDEs would move toward Partial; a second prompt-injection-to-MCP-registration CVE in the same class within the review window would harden the structural argument and keep Holding; a major 2026 agency-side incident with public post-mortem traceable to one of the named CVEs would either confirm or refute the operational implication; the Anthropic MCP working group shipping a protocol-level revision that distinguishes user-authored from model-authored configuration would move toward Partial. Sibling: AM-157 (enterprise treatment of the same CVE class).

Published
17 May 2026
Last reviewed
17 May 2026
Next review
+29d· 16 Jun 2026
Cohort
5-15 person services agency (engineering, design, marketing, ops) doing paid client work on AI-augmented IDEs
Cadence
30-day (patch-baseline + allowlist); 60-day after first quiet review (extend cadence)
Sibling claim
AM-157Prompt injection just crossed the RCE threshold: what the May 2026 Semantic Kernel and MCP CVEs mean for enterprise AI agent frameworks
Source piece
Windsurf and MCP advisories hit the IDEs your team already runs: the May 2026 small-agency playbookRead piece →
Permalink/holding/OPS-067/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when OPS-067's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: For a 5-15 person services agency running Cursor, Windsurf, Claude Code, or any internal agent platform built on the Model Context Protocol on paid-client-work machines, the May 2026 CVE class (Microsoft Security Response Center's CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026, OX Security's MCP STDIO supply-chain advisory, and the Windsurf 1.9544.26 prompt-injection-to-MCP-registration path) cannot be cleared by vendor auto-update alone. A 5-step playbook (inventory every machine; pin the patched version and disable auto-update; write a one-page MCP allowlist; disclose AI-IDE use to active clients in writing; schedule a 30-day review) is the agency-level minimum that holds against the question an enterprise client will ask in procurement and against the residual liability the agency carries if a remediation conversation becomes necessary.

About this register

The Operators register tracks claims published from practitioner-advisory pieces addressed to solo founders, micro-SMB, and small businesses up to around fifty people. Claims are reviewed on a 30–45 day cadence — tooling and SMB-relevant pricing shift faster than enterprise procurement signals.

Recent corrections in Operators

  • OPS-036 · Partial · 29 Apr 2026

    Initial publication 29 Apr 2026. Status set to Partial at publication because clause 6 commentary references an order-of-magnitude remediation-cost gap derived from the IAPP 2024 AI Governance Profession Report; the report characterises the gap as material but does not publish a precise multiple, so the wording is annotated source: our-estimate. REVIEW: Peter to source a precise figure or amend the commentary.

  • OPS-035 · Holding · 29 Apr 2026

    Initial publication 29 Apr 2026. Status set to Partial at publication because category 5 lacks the same regulatory/cited-consequence anchor as categories 1-4. REVIEW: Peter to confirm category 5 evidence base and either upgrade to Holding (with strengthened citation) or amend the claim to four categories.

  • OPS-034 · Holding · 29 Apr 2026

    Initial publication 29 Apr 2026 with status=partial. Cost-side claims (vendor pricing) verifiable against the four cited pricing pages on the publication date. Time-recovery claim (90+ min compressed to ~20 min) drawn from published productivity-blogger benchmarks rather than Peter-run measurement; first-cohort replication on the publication's tracked operator cohort due by 13 Jun 2026. REVIEW: Peter.

Reviews coming up in Operators

  • OPS-005 · Holding · next +8d (26 May 2026)

    At sub-1M tokens per month (typical SMB agent volume) in 2026, the absolute dollar gap between Claude Haiku 4.5, GPT-4o…

  • OPS-003 · Holding · next +8d (26 May 2026)

    For a solo founder choosing exactly one consumer AI subscription at around $20/month in 2026, the choice between Claude…

  • OPS-002 · Holding · next +8d (26 May 2026)

    For a 5-person consultancy already on either Notion or ClickUp in 2026, the AI features alone do not justify a workspac…