Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-fh32-73r9-rgh5 | OpenClaw: CDP host bypass exposes localhost browser state | openclaw | - |
| MEDIUM | GHSA-w6wx-jq6j-6mcj | openclaw: script swap bypasses pnpm dlx approval | openclaw | - |
| MEDIUM | GHSA-98ch-45wp-ch47 | OpenClaw: approval bypass via env key normalization gap | openclaw | - |
| MEDIUM | GHSA-2f7j-rp58-mr42 | OpenClaw: info disclosure exposes host filesystem paths | openclaw | - |
| MEDIUM | GHSA-2qrv-rc5x-2g2h | OpenClaw: untrusted plugin RCE via workspace channel setup | openclaw | - |
| MEDIUM | GHSA-5hff-46vh-rxmw | OpenClaw: read-only scope bypass kills agent sessions | openclaw | - |
| MEDIUM | GHSA-4p4f-fc8q-84m3 | openclaw: iOS bridge bypass enables unauthorized agent runs | openclaw | - |
| MEDIUM | GHSA-846p-hgpv-vphc | OpenClaw: path traversal → host file exfiltration via QQ Bot | openclaw | - |
| MEDIUM | GHSA-m34q-h93w-vg5x | openclaw: path traversal enables remote dir overwrite | openclaw | - |
| LOW | GHSA-fqrj-m88p-qf3v | OpenClaw: cross-account webhook event suppression | openclaw | - |
| MEDIUM | GHSA-wwfp-w96m-c6x8 | OpenClaw: pairing DoS blocks account onboarding | openclaw | - |
| MEDIUM | GHSA-h43v-27wg-5mf9 | OpenClaw: pre-auth signature bypass enables pairing DoS | openclaw | - |
| MEDIUM | GHSA-wpc6-37g7-8q4w | OpenClaw: exec allowlist bypass via shell init-file options | openclaw | - |
| MEDIUM | GHSA-42mx-vp8m-j7qh | openclaw: sandbox escape via mirror mode hook execution | openclaw | - |
| LOW | GHSA-767m-xrhc-fxm7 | openclaw: operator.write escalates to admin Telegram config + cron | openclaw | - |
| MEDIUM | GHSA-fwjq-xwfj-gv75 | openclaw: auth bypass exposes agent session visibility | openclaw | - |
| MEDIUM | GHSA-3q42-xmxv-9vfr | openclaw: privilege escalation to admin voice config persistence | openclaw | - |
| HIGH | GHSA-vfw7-6rhc-6xxg | openclaw: env var injection via workspace config | openclaw | - |
| MEDIUM | GHSA-vjx8-8p7h-82gr | openclaw: SSRF in marketplace plugin download | openclaw | - |
| MEDIUM | GHSA-4g5x-2jfc-xm98 | openclaw: media download bypass exhausts disk storage | openclaw | - |