Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-h2v7-xc88-xx8c | openclaw: operator scope bypass in phone arm/disarm cmds | openclaw | - |
| MEDIUM | CVE-2026-39398 | openclaw-claude-bridge: sandbox bypass exposes CLI tools | claude-code | - |
| MEDIUM | GHSA-766v-q9x3-g744 | praisonaiagents: agent context leak + path traversal | praisonaiagents | 6.5 |
| HIGH | CVE-2026-39891 | praisonai: SSTI enables RCE via agent instructions | praisonai | 8.8 |
| HIGH | CVE-2026-39889 | PraisonAI: unauth A2U stream leaks all agent activity | praisonai | 7.5 |
| CRITICAL | CVE-2026-39888 | praisonaiagents: sandbox escape enables host RCE | praisonaiagents | 10.0 |
| CRITICAL | CVE-2026-39890 | PraisonAI: YAML deserialization enables unauthenticated RCE | praisonai | 9.8 |
| HIGH | GHSA-4ggg-h7ph-26qr | n8n-mcp: authenticated SSRF leaks cloud metadata | n8n-mcp | 8.5 |
| CRITICAL | GHSA-2763-cj5r-c79m | PraisonAI: RCE via shell injection in agent workflows | PraisonAI | 9.7 |
| MEDIUM | CVE-2026-1163 | lollms: sessions persist after password reset | lollms | 4.1 |
| HIGH | GHSA-7437-7hg8-frrw | OpenClaw: env var injection enables host RCE | openclaw | - |
| HIGH | GHSA-jf56-mccx-5f3f | OpenClaw: wake hook trust violation elevates to System prompt | openclaw | - |
| HIGH | GHSA-gfmx-pph7-g46x | openclaw: trust boundary bypass enables prompt injection | openclaw | - |
| HIGH | CVE-2026-39974 | n8n-MCP: SSRF exposes cloud metadata via MCP headers | 8.5 | |
| MEDIUM | GHSA-ccx3-fw7q-rr2r | openclaw: base64 pre-alloc bypass causes resource exhaustion | openclaw | - |
| MEDIUM | GHSA-3vvq-q2qc-7rmp | openclaw: no integrity check on ClawHub plugin installs | openclaw | - |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | - |
| MEDIUM | GHSA-w9j9-w4cp-6wgr | openclaw: env var injection enables host exec hijacking | openclaw | - |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | - |
| LOW | GHSA-4f8g-77mw-3rxc | OpenClaw: gateway auth expands read to write privilege | openclaw | - |