Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-3345 | Langflow: path traversal allows arbitrary file read | langflow | 6.5 |
| HIGH | CVE-2026-6542 | Langflow: IDOR exposes cross-tenant flow data and deletion | langflow | 8.1 |
| HIGH | CVE-2026-6543 | Langflow: RCE exposes API keys and DB credentials | langflow | 8.8 |
| MEDIUM | CVE-2026-7687 | Langflow: command injection in code parser enables RCE | langflow | 6.3 |
| MEDIUM | CVE-2026-7700 | Langflow: eval() code injection → remote code execution | langflow | 6.3 |
| MEDIUM | CVE-2026-41358 | OpenClaw: sender allowlist bypass via Slack thread context | openclaw | 5.4 |
| MEDIUM | GHSA-93rg-2xm5-2p9v | openclaw: auth bypass exposes Gateway bootstrap config | openclaw | - |
| MEDIUM | GHSA-5h3g-6xhh-rg6p | openclaw: TOCTOU race allows out-of-sandbox file read | openclaw | - |
| HIGH | GHSA-wppj-c6mr-83jj | openclaw: TOCTOU sandbox escape via symlink swap | openclaw | - |
| MEDIUM | GHSA-x3h8-jrgh-p8jx | OpenClaw: exec allowlist bypass allows hidden shell code | openclaw | - |
| HIGH | GHSA-r6xh-pqhr-v4xh | openclaw: MCP owner-context spoofing, privilege escalation | openclaw | - |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | - |
| MEDIUM | GHSA-q3jj-46pq-826r | openclaw: ACP child session security envelope bypass | openclaw | - |
| MEDIUM | GHSA-2hh7-c75g-qj2r | openclaw: SSRF bypass via Zalo plugin photo URLs | openclaw | - |
| HIGH | CVE-2026-42079 | PPTAgent: eval injection enables RCE via LLM prompt injection | pptagent | 8.6 |
| HIGH | GHSA-cwj3-vqpp-pmxr | openclaw: Model bypasses authz to persist unsafe config | openclaw | 8.8 |
| HIGH | GHSA-r39h-4c2p-3jxp | OpenClaw: RCE via malicious repo setup-api.js | openclaw | 7.8 |
| MEDIUM | GHSA-q8ff-7ffm-m3r9 | openclaw: stale webhook secret survives credential rotation | openclaw | 6.0 |
| MEDIUM | CVE-2026-42045 | LobeChat: XSS-to-RCE via exposed Electron IPC | @lobehub/lobehub | 6.2 |
| MEDIUM | CVE-2026-43901 | wireshark-mcp: path traversal enables arbitrary file write via MCP | 6.8 |