Autonomous Agent Exploits SQL Injection in McKinsey AI Platform Lilli

McKinsey & Company, one of the world's largest consulting firms, suffered a significant security breach of its internal AI platform known as Lilli. The incident was identified and disclosed on March 9, 2026, by security startup CodeWall, which directed an autonomous offensive AI agent at the platform. 

Lilli, launched in 2023 and named after the first professional woman hired by McKinsey in 1945, is a purpose-built AI system used by over 43,000 employees for chat, document analysis, and AI-powered search across more than 100,000 internal documents. 

The CodeWall offensive agent required just two hours and approximately $20 in compute tokens to breach the platform and gain full read and write access to the production database without any credentials, insider knowledge, or human assistance.

The root cause of the breach was a chain of classic application security failures:

1. The CodeWall agent initially gained access after discovering publicly exposed API documentation covering over 200 endpoints, 22 of which did not require authentication.
2. One of these unauthenticated endpoints accepted JSON payloads for writing user search queries to a database, and the agent discovered that the JSON key names rather than the values were being concatenated directly into SQL statements, creating a SQL injection vulnerability that conventional scanning tools such as OWASP ZAP failed to detect.
3. The agent then chained the SQL injection with an Insecure Direct Object Reference (IDOR) vulnerability to escalate access across user accounts, ultimately compiling 27 distinct security findings.

The scale of data accessible through the breach is vast. The following categories of sensitive information were reportedly exposed:

• 46.5 million chat messages in plaintext, covering strategy, client engagements, financials, and M&A activity
• 728,000 files, including 192,000 PDFs, 93,000 Excel spreadsheets, 93,000 PowerPoint decks, and 58,000 Word documents
• 57,000 user accounts representing every employee on the platform
• 384,000 AI assistant configurations and 94,000 workspaces
• 95 system prompt and AI model configurations across 12 model types
• 3.68 million RAG document chunks containing decades of proprietary McKinsey research, frameworks, and methodologies
• 1.1 million files and 217,000 agent messages flowing through external AI APIs, including 266,000+ OpenAI vector stores

Most alarming was the discovery that Lilli's system prompts, the instructions governing how the AI behaves, what guardrails it follows, and how it responds were stored in the same database to which the agent had write access. 

This meant a malicious attacker could have silently rewritten those prompts through a single SQL UPDATE statement, potentially poisoning the strategic advice, financial models, and recommendations delivered to tens of thousands of consultants without leaving any traditional forensic traces. 

Independent security analysts have noted that CodeWall's blog provided no proof-of-concept payloads, screenshots, or evidence showing privilege boundaries, leaving some question about whether the reported figures represent records actually retrieved or database row counts inferred from metadata.

McKinsey issued a public statement on March 11, 2026, confirming that it was alerted to the vulnerability by a security researcher, fixed the issue within hours, and that a third-party forensic investigation found no evidence that client data or confidential information were accessed by the researcher or any other unauthorized third party. 

By March 2, McKinsey had patched all unauthenticated endpoints, taken the development environment offline, and blocked public access to the API documentation. 

The AI prompt layer, instructions stored in databases, passed through APIs, and cached in configuration files represents a new category of high-value assets that most organizations have yet to secure with access controls, version history, or integrity monitoring.