On March 9, 2026, autonomous offensive security startup CodeWall publicly disclosed that its AI-powered red-team agent achieved full read-write database access to McKinsey's internal generative AI platform Lilli within approximately two hours. The vulnerability was first discovered on February 28, responsibly disclosed to McKinsey on March 1, and patched by March 2, 2026.
Attack Chain
CodeWall's agent identified publicly exposed API documentation for the Lilli platform, which revealed 22 endpoints lacking authentication. The critical vulnerability was an SQL injection in how JSON field names (not values) were handled — the field names were concatenated directly into SQL queries without parameterisation.
This atypical injection vector escaped standard security tooling. CodeWall noted that tools like OWASP ZAP would not flag it because the injection point was in JSON keys rather than input values. The resulting SQL injection was read-write capable, meaning a single HTTP call could both extract and modify production database records.
Scope of Accessible Data
According to CodeWall's disclosure, the following data was accessible through the vulnerability:
| Data Type | Volume |
|---|---|
| Chat messages (plaintext) | 46.5 million |
| Files with confidential client data | 728,000 |
| User accounts | 57,000 |
| System prompts controlling AI behaviour | 95 (all writable) |
All 95 system prompts governing Lilli's responses were writable, meaning an attacker could have poisoned the AI's behaviour — altering how it answers queries, what guardrails it follows, and how it cites sources — without code deployment or schema changes.
McKinsey's Response
McKinsey issued a public statement confirming the vulnerability and stating that their investigation, supported by a third-party forensics firm, "identified no evidence that client data or client confidential information were accessed by this researcher or any other unauthorized third party." The company patched all endpoints, took the development environment offline, and blocked public API documentation.
Context
Lilli, named after Lillian Dombrowski (the first professional woman hired by McKinsey in 1945), launched in July 2023 and processes over 500,000 prompts monthly with 70%+ adoption across the firm's 43,000+ employees. The incident underscores the API security risks introduced when enterprises rapidly deploy AI platforms — particularly the risk of exposed endpoints and non-standard injection vectors in AI-adjacent infrastructure.
Note: Independent analysis by security commentator Edward Kiledjian observed that CodeWall's claims conflate "having database access" with confirmed data exfiltration, and that McKinsey's rapid patching does not equal a completed forensic review.