Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-53526 | Composio: command injection in AI agent tool calls | composio-openai | 6.4 |
| CRITICAL | CVE-2023-32785 | LangChain: prompt injection → SQL RCE (CVSS 9.8) | langchain | 9.8 |
| MEDIUM | CVE-2024-6985 | lollms: path traversal allows arbitrary directory read | lollms | 4.4 |
| LOW | CVE-2024-6971 | lollms: path traversal in RAG database functions | lollms | 3.4 |
| MEDIUM | CVE-2024-7041 | open-webui: IDOR enables cross-user memory tampering | open-webui | 6.5 |
| MEDIUM | CVE-2026-4963 | smolagents: code injection via incomplete sandbox fix | smolagents | 6.3 |
| UNKNOWN | CVE-2026-33873 | Langflow: server-side RCE via LLM-generated code exec | langflow | - |
| UNKNOWN | CVE-2026-34046 | Langflow: IDOR exposes flows and plaintext API keys | langflow | - |
| MEDIUM | CVE-2026-27496 | n8n: uninitialized buffer leaks secrets via Task Runner | n8n | 6.5 |
| CRITICAL | CVE-2026-33663 | n8n: member role steals plaintext HTTP credentials | n8n | 10.0 |
| HIGH | CVE-2026-33665 | n8n: LDAP email match enables permanent account takeover | n8n | 8.2 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-33713 | n8n: SQLi in Data Table node, full DB compromise | n8n | 8.8 |
| MEDIUM | CVE-2026-33720 | n8n: OAuth state forgery hijacks user credentials | n8n | 4.2 |
| MEDIUM | CVE-2026-33722 | n8n: secrets vault bypass exposes credentials to low-priv users | n8n | 5.3 |
| HIGH | CVE-2026-33724 | n8n: SSH MitM enables malicious workflow injection | n8n | 7.4 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| MEDIUM | CVE-2026-33751 | n8n: LDAP injection enables auth bypass in workflows | n8n | 4.8 |
| LOW | CVE-2026-29071 | Open WebUI: IDOR exposes AI memories and private files | open-webui | 3.1 |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | - |