Security Analysis of Agentic AI Communication Protocols: A Comparative Evaluation

TL;DR

This work addresses security challenges in multi-agent AI communications by conducting the first empirical, cross-protocol benchmarking of A2A, CORAL, and ACP using a 14-point vulnerability taxonomy. It reveals an architecture-versus-implementation dichotomy: CORAL’s design offers strong integrity and confidentiality, yet its public implementation suffers from authentication and authorization flaws, while ACP’s flexible configuration introduces variable security depending on enforcement of per-message integrity. A2A, serving as the literature baseline, shows broad vulnerability across categories due to minimal per-message protections. The paper advocates a hybrid approach that blends CORAL’s integrated payment/transport architecture with ACP’s mandatory per-message integrity to enable resilient, next-generation agent communications, with measurable implications for standardization and real-world deployment.

Abstract

Multi-agent systems (MAS) powered by artificial intelligence (AI) are increasingly foundational to complex, distributed workflows. Yet, the security of their underlying communication protocols remains critically under-examined. This paper presents the first empirical, comparative security analysis of the official CORAL implementation and a high-fidelity, SDK-based ACP implementation, benchmarked against a literature-based evaluation of A2A. Using a 14 point vulnerability taxonomy, we systematically assess their defenses across authentication, authorization, integrity, confidentiality, and availability. Our results reveal a pronounced security dichotomy: CORAL exhibits a robust architectural design, particularly in its transport-layer message validation and session isolation, but suffers from critical implementation-level vulnerabilities, including authentication and authorization failures at its SSE gateway. Conversely, ACP's architectural flexibility, most notably its optional JWS enforcement, translates into high-impact integrity and confidentiality flaws. We contextualize these findings within current industry trends, highlighting that existing protocols remain insufficiently secure. As a path forward, we recommend a hybrid approach that combines CORAL's integrated architecture with ACP's mandatory per-message integrity guarantees, laying the groundwork for resilient, next-generation agent communications.

Figures (5)

• Figure 1: Representative attack surface in a multi-agent protocol context, covering injection, interception, replay, poisoning, and unauthorized access.
• Figure 2: Message flow in the A2A protocol, illustrating task delegation between a client agent and a remote agent via the protocol handler.
• Figure 3: Workflow of the CORAL protocol, highlighting threaded messaging, coalition formation, and payment escrow in decentralized agent coordination.
• Figure 4: Workflow of the ACP protocol, showing RESTful task requests and artifact responses in a client-server configuration.
• Figure 5: Radar plot with a 0–3 mitigation scale (0 = Vulnerable, 1.5 = Partial, 3 = Mitigated). N/A categories (e.g., A2A for Availability) are rendered as 0 solely for plotting convenience and should not be interpreted as exposure.