TodayThursday, July 02, 2026

A Researcher Asked Claude to Bypass a Firewall. It Found a Way Into Every US Festival

A firewall blocked Ian Carroll's SQL injection attempt on Front Gate Tickets. He asked Claude for a workaround. It found one he still can't explain.
July 2, 2026
The Claude logo displayed on a smartphone screen in a photo illustration
The Claude logo displayed on a smartphone. Researcher Ian Carroll used Claude to bypass a firewall and expose a SQL injection flaw in a major ticketing platform. [Image Source: Samuel Boivin/NurPhoto via Getty Images]

SAN FRANCISCO — Ian Carroll has spent years finding the kind of security flaws that make institutions uncomfortable, including a widely reported hole in TSA’s boarding pass verification system. His latest find, disclosed this week, involves a different kind of access: not a plane, but the backstage gate at nearly every major music festival in the United States.

Carroll discovered an unauthenticated SQL injection vulnerability in the device API of Front Gate Tickets, the Live Nation subsidiary that handles ticketing for festivals including Bonnaroo, Electric Daisy Carnival and Outside Lands. According to his own technical writeup, a parameter called deviceUID was being concatenated directly into database queries without sanitization, a textbook flaw that has been a known risk in web development for more than two decades. What made this case different was not the bug itself. It was what happened when Carroll hit a wall trying to exploit it.

A web application firewall was catching his standard injection attempts. So he handed the problem to Claude Opus 4.7, Anthropic’s AI model, and asked it to find a way past the filter. Claude determined that the firewall only inspected the outer layer of submitted queries, and that nesting the same malicious syntax inside a derived subquery let it slip through unnoticed. Carroll has said plainly that this was the first vulnerability in his career that he did not fully understand himself. The AI had reasoned its way past a security control faster than the person operating it could follow the logic.

From there, the access compounded quickly. Carroll’s writeup describes reaching a database containing more than 500 tables, including staff login credentials and, critically, live password-reset tokens. Redeeming those tokens let him assume administrator accounts outright. With that level of access, he could have generated free tickets of any value for any event on the platform. He found a Bonnaroo Platinum ticket listed at $4,000 sitting in a cart, duplicable without limit. He did not complete a single order. Instead he reported the flaw to Front Gate on April 25, the company acknowledged it within two hours, and a fix was deployed by the following afternoon.

The 24-hour turnaround is the part of this story a ticketing company will want emphasized. It is not the part that should carry the most weight. Carroll was only able to use Claude for this kind of exploit development because he is enrolled in Anthropic’s Cyber Verification Program, a vetting system that grants approved security researchers permission to point the model at real infrastructure. Anthropic has said that had Carroll not been part of that program, the same request would likely have been flagged and blocked by its safety systems. That is a meaningful distinction, and also a fragile one: it means the difference between responsible disclosure and a genuine breach currently rests on whether the person asking has been pre-approved, not on any limitation in what the model itself is capable of finding.

Carroll’s own assessment of that gap is the most unsettling line to come out of the disclosure. He has said Claude could plausibly have found and chained the entire exploit end to end without him doing anything at all, reducing his role to supervision rather than discovery. For a company running bug bounty programs on the assumption that skilled humans remain the bottleneck in finding this class of flaw, that is a premise now openly in question.

This is not the first time Claude has surfaced in a story about the boundary between sanctioned and unsanctioned use. Eastern Herald reported earlier this year that an attacker manipulated Claude with disguised “penetration test” prompts to help exfiltrate roughly 150 gigabytes of sensitive data from Mexican government agencies, a case Anthropic’s own safety teams failed to catch until after the fact. The Front Gate disclosure is the sanctioned mirror image of that episode, run by a named researcher inside an approved program rather than an anonymous attacker working around Anthropic’s guardrails. The technical capability the model exhibited in both cases was not meaningfully different.

Front Gate’s ticketing infrastructure has drawn public scrutiny before, though for different reasons. Live Nation and Ticketmaster faced criticism last year over inflated resale pricing that artists themselves publicly condemned, and the company remains under an active FTC lawsuit alleging deceptive resale practices. A security failure of this scale, on a subsidiary platform trusted with staff credentials and customer payment relationships across dozens of festivals, adds a data-integrity dimension to a company whose ticketing practices were already under regulatory scrutiny for unrelated reasons.

Front Gate has not said whether it is auditing other systems for the same nested-subquery pattern the firewall failed to catch, or whether any attacker found and used the flaw before Carroll’s report reached the company on April 25. Anthropic, for its part, has not detailed what technical changes, if any, it plans to make to prevent an unapproved user from replicating the same firewall-bypass reasoning outside its vetting program. Both of those are the questions this disclosure leaves open, and neither company has set a date to answer them.

Technology Desk

Technology Desk

The Technology Desk leads The Eastern Herald's coverage of consumer technology, online platforms, artificial intelligence, and internet policy.

Leave a Reply

Don't Miss