Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-2767-2q9v-9326 | openclaw: QQBot SSRF leaks internal service responses | openclaw | - |
| MEDIUM | GHSA-7wv4-cc7p-jhxc | openclaw: .env injection hijacks agent runtime config | openclaw | - |
| MEDIUM | GHSA-c9h3-5p7r-mrjh | openclaw: path traversal bypasses media sandbox | openclaw | - |
| MEDIUM | GHSA-49cg-279w-m73x | openclaw: auth bypass via empty approver list | openclaw | - |
| MEDIUM | GHSA-7g8c-cfr3-vqqr | openclaw: trust escalation via unsanitized agent hook events | openclaw | - |
| HIGH | GHSA-vfp4-8x56-j7c5 | openclaw: env denylist bypass enables code exec in agents | openclaw | - |
| MEDIUM | GHSA-j6c7-3h5x-99g9 | openclaw: OS command injection via shell env-argv bypass | openclaw | - |
| MEDIUM | GHSA-5gjc-grvm-m88j | openclaw: auth bypass enables persistent memory config change | openclaw | - |
| LOW | GHSA-gc9r-867r-j85f | openclaw: auth bypass in Teams SSO invoke handler | openclaw | - |
| LOW | GHSA-r77c-2cmr-7p47 | openclaw: group policy bypass in delivery queue recovery | openclaw | - |
| MEDIUM | GHSA-g375-h3v6-4873 | openclaw: privilege retention via async exec completion miss | openclaw | - |
| HIGH | GHSA-vw3h-q6xq-jjm5 | openclaw: WebSocket DoS via oversized frame ingestion | openclaw | - |
| MEDIUM | GHSA-g2hm-779g-vm32 | openclaw: auth bypass preserves owner-level agent execution | openclaw | - |
| MEDIUM | GHSA-c4qm-58hj-j6pj | openclaw: SSRF bypass exposes internal pages in browser tool | openclaw | - |
| HIGH | GHSA-8372-7vhw-cm6q | openclaw: config redaction bypass exposes provider API keys | openclaw | - |
| MEDIUM | GHSA-jwrq-8g5x-5fhm | openclaw: auth context reuse enables privilege escalation | openclaw | - |
| HIGH | GHSA-5fw2-mwhh-9947 | Flowise: unauth TTS endpoint exposes stored AI API keys | flowise | - |
| HIGH | GHSA-w47f-j8rh-wx87 | Flowise: credential exposure via public chatflow API | flowise | - |
| HIGH | GHSA-3prp-9gf7-4rxx | Flowise: Mass assignment enables cross-tenant store takeover | flowise | - |
| MEDIUM | GHSA-92jp-89mq-4374 | openclaw: auth bypass exposes sandbox browser session | openclaw | - |