Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-34937 | PraisonAI: OS command injection via run_python() shell escape | praisonaiagents | 7.8 |
| CRITICAL | CVE-2026-34938 | praisonaiagents: sandbox bypass enables full host RCE | praisonaiagents | 10.0 |
| HIGH | CVE-2026-34222 | Open WebUI: access control bypass leaks Tool Valve API keys | open-webui | 7.7 |
| MEDIUM | GHSA-9q7v-8mr7-g23p | OpenClaw: SSRF in marketplace fetch hits internal AI infra | openclaw | - |
| MEDIUM | GHSA-mvv8-v4jj-g47j | Directus: cleartext storage exposes AI API keys | 6.5 | |
| CRITICAL | CVE-2026-35216 | Budibase: Unauthenticated RCE as root via webhook | 9.1 | |
| HIGH | CVE-2026-35394 | mobile-mcp: intent injection enables device control via AI agent | @mobilenext/mobile-mcp | 8.3 |
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| HIGH | CVE-2026-35020 | Claude Code CLI: OS command injection via TERMINAL env | claude-code | 8.4 |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| CRITICAL | CVE-2026-35615 | PraisonAI: path traversal exposes full filesystem via agent tools | PraisonAI | - |
| HIGH | CVE-2026-39308 | PraisonAI: recipe registry path traversal file write | PraisonAI | 7.1 |
| HIGH | CVE-2026-39306 | PraisonAI: recipe path traversal allows arbitrary file write | PraisonAI | 7.3 |
| CRITICAL | CVE-2026-39305 | PraisonAI: path traversal enables arbitrary file write/RCE | PraisonAI | 9.0 |
| HIGH | CVE-2026-39307 | PraisonAI: Zip Slip enables arbitrary file write / RCE | PraisonAI | 8.1 |
| MEDIUM | CVE-2026-34425 | OpenClaw: script preflight bypass enables unsafe exec | openclaw | - |
| HIGH | CVE-2026-34511 | OpenClaw: PKCE verifier leak enables OAuth token theft | openclaw | - |
| MEDIUM | GHSA-83f3-hh45-vfw9 | OpenClaw: cleartext WebSocket exposes gateway credentials | openclaw | - |
| MEDIUM | GHSA-jj6q-rrrf-h66h | openclaw: timing side-channel leaks shared-secret length | openclaw | - |
| MEDIUM | GHSA-rxmx-g7hr-8mx4 | OpenClaw: Zalo webhook dedup collision silently drops events | openclaw | - |