HTTP/2 Bomb. AI found it first.

The AI found the bug. Three vendors haven't shipped the fix.

A researcher at Calif.io pointed OpenAI's Codex at the source code of five major web server implementations. Codex recognized how two decade-old techniques, each well-understood individually, could be composed into something none of the vendors had seen. The result is CVE-2026-49975, now called the HTTP/2 Bomb.

The attack combines HTTP/2's HPACK header compression with its flow-control window. A client sends HPACK-compressed headers that decompress into megabytes of data on the server side, then uses HTTP/2's flow-control hold to prevent the server from freeing that memory. The effect: a single connection from a home broadband line can commit 32 gigabytes of enterprise server RAM in roughly 20 seconds. Envoy amplifies the attack 5,700-to-one. Apache reaches 4,000-to-one. NGINX runs at 70-to-one.

NGINX shipped a patch in version 1.29.8 at disclosure. Apache patched the flaw in mod_http2 v2.0.41. Microsoft IIS, Envoy, and Cloudflare Pingora have no patch. Their maintainers have been notified.

That matters because Envoy is the proxy inside most enterprise Kubernetes service meshes and the backbone of major API gateway deployments. Cloudflare Pingora is the foundation of one of the most widely deployed enterprise CDN and WAF layers. Your edge defenses rate-limit connections and inspect packets. They do not reclaim server memory already committed to open HTTP/2 streams. By the time a connection-layer defense fires, the allocation is done.

The discovery method is the second-order story. Both halves of the HTTP/2 Bomb attack have been documented in security research for over a decade. What changed is that a researcher using Codex could read across five different server implementations simultaneously and recognize the composition. This is the second major infrastructure flaw discovered with AI coding assistance in three weeks; depthfirst's autonomous vulnerability analysis system found an 18-year-old heap overflow in NGINX's rewrite module in approximately six hours in May. The pace of AI-assisted discovery is compressing the disclosure cadence faster than vendor patch cycles can respond.

What to do this week: Confirm NGINX is on 1.29.8 or later and Apache mod_http2 is on v2.0.41 or later. For Kubernetes clusters using Envoy as an ingress controller, cap concurrent HTTP/2 streams at the load balancer layer and enforce aggressive idle-timeout cutoffs on open streams. If your web perimeter includes internet-facing IIS deployments with HTTP/2 enabled, flag them for immediate patching when Microsoft ships a fix. Imperva customers have published protection coverage for HTTP/2 Bomb; check your WAF vendor's advisory tracker for equivalent coverage while unpatched vendors deliver their fixes.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

The White House AI EO puts enterprises in self-governance mode

On June 2, President Trump signed an executive order creating a voluntary AI cybersecurity clearinghouse led by Treasury to coordinate industry reporting on AI-identified software vulnerabilities, validate them, and prioritize patch distribution. Treasury, NSA, and CISA have 60 days to build a classified benchmarking process to define what counts as a "covered frontier model" for federal security oversight. That definition will affect how enterprises should evaluate AI model procurement risk in H2 2026. What the EO does not do: mandate anything or preempt state AI laws. In May, Colorado walked back its own comprehensive AI mandate (SB 24-205) to a lighter notice-and-transparency framework (SB 26-189) not effective until January 2027. The combined read: federal AI policy is explicitly voluntary, and the most ambitious state-level mandate has been deferred and scaled back. Enterprises that structured AI governance timelines around external mandate pressure should recalibrate. The pace is now internally set.

FortiClient's own update channel is delivering credential stealers

CVE-2026-35616 in FortiClient EMS has been patched since April, but the attack campaign exploiting it is still running. Arctic Wolf published analysis last week showing a threat cluster using the vulnerability to deliver the EKZ Infostealer to managed endpoints, disguised as a legitimate Fortinet patch update. The delivery mechanism is FortiClient's own VPN scripting workflow: FortiClient components launch command scripts, invoke PowerShell silently, download the credential stealer, and exfiltrate Chrome and Firefox credentials including Chrome's encrypted password storage. The attack requires no user interaction because it exploits the trusted channel between managed endpoints and their endpoint management server. If you run FortiClient EMS and have not verified the April 2026 hotfix is applied, treat any endpoint showing unsolicited PowerShell execution from the FortiClient process as a potential credential-harvest event.

Salesforce paid $1-1.5 billion to give Agentforce a content layer

Salesforce signed a definitive agreement to acquire Contentful on June 1 for an estimated $1-1.5 billion. Contentful is the headless CMS used by roughly 30% of the Fortune 500 and 4,800+ brands globally. The strategic purpose: Agentforce will have a native, enterprise-grade content layer to power AI-driven 1:1 content personalization at scale. The deal closes in Q3 of Salesforce's FY2027, pending regulatory approval. Two actions for enterprise IT leaders. First, check any standalone Contentful contracts for change-of-control provisions before the acquisition closes. Second, if you are currently evaluating Agentforce and a headless CMS separately, the roadmap answer for "Salesforce plus a content layer" is now defined: build the integration you would have paid a third party to do into your Salesforce renewal negotiation.

Envoy's bandwidth amplification ratio for the HTTP/2 Bomb attack. A standard home broadband connection can commit 32 gigabytes of enterprise memory on an Envoy-backed server in roughly 10 seconds at this ratio. Envoy is the proxy inside most enterprise Kubernetes service meshes and major API gateways; it has no patch for CVE-2026-49975 yet. The interpretive point is not the ratio itself: it is that your CDN and WAF block traffic at the connection layer, not the server-memory layer. For HTTP/2 Bomb, the damage is already done before packet inspection fires. Until Envoy ships a fix, the compensating control is a concurrent HTTP/2 stream cap at the Kubernetes ingress controller.

Enterprise IT leaders inside the DoGood network are tracking both sides of the AI discovery story this week: what it means to depend on tools that can find your infrastructure's blind spots before you do, and what AI governance looks like when there are no external mandates setting the pace. If those questions are live in your environment, that conversation is already happening inside the network.

Know a CIO who needs this? Forward it and they can subscribe here.