Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-2gvc-4f3c-2855 | OpenClaw: auth bypass lets DM senders run room commands | openclaw | - |
| HIGH | GHSA-xmxx-7p24-h892 | OpenClaw: stale bearer token survives SecretRef rotation | openclaw | - |
| MEDIUM | CVE-2026-35603 | Claude Code: config hijack via unprotected ProgramData dir | @anthropic-ai/claude-code | - |
| MEDIUM | GHSA-f7fh-qg34-x2xh | openclaw: CDP SSRF enables internal host pivot | openclaw | - |
| MEDIUM | GHSA-jhpv-5j76-m56h | OpenClaw: auth bypass leaks host files via media path | openclaw | - |
| HIGH | GHSA-66r7-m7xm-v49h | openclaw: path traversal exposes host files via media tags | openclaw | - |
| HIGH | GHSA-2cq5-mf3v-mx44 | openclaw: exec approval bypass via opaque multi-call binaries | openclaw | - |
| HIGH | GHSA-7jp6-r74r-995q | openclaw: auth bypass lets write-scope callers mutate admin config | openclaw | - |
| HIGH | GHSA-736r-jwj6-4w23 | openclaw: sandbox escape via host=node exec routing bypass | openclaw | - |
| MEDIUM | GHSA-536q-mj95-h29h | openclaw: SSRF bypass via browser navigation guard gap | openclaw | - |
| MEDIUM | GHSA-qmwg-qprg-3j38 | openclaw: CDP pivot bypasses file:// navigation guards | openclaw | - |
| HIGH | GHSA-939r-rj45-g2rj | openclaw: untrusted plugin auto-enabled during onboarding | openclaw | - |
| MEDIUM | GHSA-527m-976r-jf79 | openclaw: SSRF bypass in existing browser session routes | openclaw | - |
| MEDIUM | GHSA-rj2p-j66c-mgqh | openclaw: SSRF policy bypass in browser tab actions | openclaw | - |
| MEDIUM | GHSA-f3h5-h452-vp3j | openclaw: insufficient authz allows agent config persistence | openclaw | - |
| HIGH | GHSA-525j-hqq2-66r4 | openclaw: CDP relay exposes browser DevTools on 0.0.0.0 | openclaw | - |
| HIGH | GHSA-82qx-6vj7-p8m2 | openclaw: trust bypass loads untrusted workspace plugins | openclaw | - |
| MEDIUM | GHSA-jf25-7968-h2h5 | openclaw: path traversal bypasses workspace filesystem guard | openclaw | - |
| MEDIUM | GHSA-53vx-pmqw-863c | openclaw: Browser SSRF exposes internal services by default | openclaw | - |
| MEDIUM | GHSA-xq94-r468-qwgj | openclaw: DNS rebinding bypasses browser SSRF protection | openclaw | - |