Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-40115 | PraisonAI: unbounded body read enables local DoS | PraisonAI | 6.2 |
| MEDIUM | CVE-2026-35657 | openclaw: auth bypass exposes agent session history via HTTP | openclaw | 6.5 |
| MEDIUM | CVE-2026-6011 | OpenClaw: SSRF via web-fetch enables internal network pivot | openclaw | 5.6 |
| HIGH | GHSA-75hx-xj24-mqrw | n8n-mcp: unauthenticated HTTP endpoints enable DoS + recon | n8n-mcp | 8.2 |
| MEDIUM | CVE-2026-35646 | openclaw: webhook rate-limit bypass enables token brute-force | openclaw | 4.8 |
| MEDIUM | CVE-2026-35640 | openclaw: unauthenticated webhook parsing enables DoS | openclaw | 5.3 |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | 7.4 |
| MEDIUM | CVE-2026-40190 | langsmith: prototype pollution enables auth bypass, RCE | langsmith | 5.6 |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | - | |
| CRITICAL | CVE-2025-61260 | OpenAI Codex CLI: RCE via malicious MCP config files | @openai/codex | 9.8 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | GHSA-f6hc-c5jr-878p | Flowise: auth bypass enables account takeover via null token | flowise | - |
| HIGH | GHSA-28g4-38q8-3cwc | Flowise: Cypher injection allows full Neo4j DB wipe | flowise-components | - |
| HIGH | GHSA-x5w6-38gp-mrqh | Flowise: HTTP reset link exposes tokens to MITM takeover | flowise | - |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | - |
| HIGH | GHSA-6r77-hqx7-7vw8 | FlowiseAI: SSRF via prompt injection in API Chain | flowise-components | 7.1 |
| HIGH | GHSA-2x8m-83vc-6wv4 | Flowise: SSRF bypass exposes internal services | flowise-components | 7.1 |
| HIGH | GHSA-xhmj-rg95-44hv | Flowise: SSRF bypass exposes cloud IAM credentials | flowise-components | 7.1 |