Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-42074 | openclaude: sandbox bypass allows host-level RCE | openclaude | - |
| HIGH | CVE-2026-44246 | nnU-Net: prompt injection hijacks CI/CD triage agent | claude-code | 7.2 |
| LOW | CVE-2026-8026 | Flowise: info disclosure via login API response handler | flowise | 3.7 |
| HIGH | CVE-2026-45134 | LangSmith: prompt deserialization enables SSRF + data leak | langchain | 7.1 |
| HIGH | CVE-2026-45136 | claude-code-cache-fix: hook path injection → RCE | claude-code-cache-fix | - |
| HIGH | GHSA-7g73-99r4-m4mj | Flowise: credential data leak via filtered API endpoint | flowise | - |
| CRITICAL | GHSA-9rvc-vf7m-pgm2 | Flowise: auth RCE via NodeVM sandbox escape | flowise | - |
| HIGH | GHSA-hp26-q66v-q2w7 | Flowise: mass assignment breaks multi-tenant isolation | flowise | - |
| HIGH | GHSA-m99r-2hxc-cp3q | Flowise MCP: 3-path blocklist bypass enables server RCE | flowise-components | - |
| HIGH | GHSA-php6-83fg-gw3g | Flowise: brute-force auth grants full agent platform access | flowise | 7.5 |
| HIGH | CVE-2026-42863 | Flowise: Mass Assignment enables cross-workspace takeover | flowise | - |
| HIGH | CVE-2026-42862 | Flowise: mass assignment breaks tenant isolation | flowise | - |
| HIGH | CVE-2026-42861 | Flowise: mass assignment breaks multi-tenant isolation | flowise | - |
| HIGH | GHSA-wxrr-jp8m-qq7f | Flowise: mass assignment enables cross-workspace IDOR | flowise | - |
| HIGH | GHSA-mq53-pc65-wjc4 | Flowise: mass assignment breaks workspace isolation | flowise | - |
| HIGH | GHSA-7j65-65cr-6644 | Flowise: mass assignment breaks cross-workspace isolation | flowise | - |
| HIGH | GHSA-5h9v-837x-m97r | Flowise: mass assignment enables cross-workspace data takeover | flowise | - |
| HIGH | GHSA-728h-4mwj-f2p4 | Flowise: mass assignment breaks cross-workspace isolation | flowise | - |
| HIGH | GHSA-78pr-c5x5-jggc | Flowise: IDOR via mass assignment breaks tenant isolation | flowise | - |
| HIGH | GHSA-hmg2-jjjx-jcp2 | Flowise: missing authz on vector store CRUD endpoints | flowise | - |