Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-44334 | praisonai: RCE via unpatched tool_override exec_module | praisonai | 8.4 |
| HIGH | CVE-2026-44335 | praisonaiagents: SSRF via URL parser confusion bypass | praisonaiagents | - |
| MEDIUM | GHSA-cqmh-pcgr-q42f | @axonflow/openclaw: credential exposure via insecure file permissions | @axonflow/openclaw | 5.5 |
| HIGH | CVE-2026-44504 | Aegra: cross-tenant IDOR hijacks user thread data | aegra-api | - |
| CRITICAL | CVE-2025-14931 | smolagents: RCE via pickle deserialization in executor | smolagents | 10.0 |
| CRITICAL | CVE-2026-44007 | vm2: sandbox escape via nesting:true enables RCE | vm2 | 9.1 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | - |
| HIGH | CVE-2026-44843 | LangChain: deserialization poisons LLM chat history | langchain-core | 8.2 |
| CRITICAL | CVE-2026-44211 | cline: WebSocket auth bypass enables terminal RCE | cline | 9.6 |
| MEDIUM | CVE-2026-43570 | OpenClaw: symlink traversal exposes host filesystem | openclaw | 6.5 |
| MEDIUM | CVE-2026-42282 | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | 4.3 | |
| HIGH | CVE-2026-44570 | open-webui: IDOR exposes cross-user AI memory data | open-webui | 8.3 |
| HIGH | CVE-2026-44340 | PraisonAI: tar symlink bypass allows arbitrary file write | PraisonAI | 7.5 |
| HIGH | CVE-2026-44339 | praisonaiagents: tool bypass enables undeclared callable exec | PraisonAI | 8.6 |
| CRITICAL | CVE-2026-44336 | PraisonAI: MCP path traversal escalates to full RCE | PraisonAI | 9.6 |
| MEDIUM | CVE-2026-44337 | PraisonAI: SQL/CQL injection in knowledge-store backends | PraisonAI | 6.3 |
| HIGH | CVE-2026-44338 | PraisonAI: unauthenticated API triggers agent workflows | PraisonAI | 7.3 |
| CRITICAL | CVE-2026-43995 | Flowise: SSRF in agent tools bypasses security wrapper | flowise | 9.8 |