Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-45732 | n8n: OAuth token hijack via credential permission bypass | n8n | 8.1 |
| CRITICAL | CVE-2026-44792 | n8n: SQL injection via poisoned Source Control git repo | n8n | 9.0 |
| CRITICAL | CVE-2026-44791 | n8n: XML node patch bypass enables host RCE | n8n | 9.9 |
| HIGH | CVE-2026-44790 | n8n: Git node arg injection enables full server compromise | n8n | 8.8 |
| CRITICAL | CVE-2026-44789 | n8n: prototype pollution in HTTP node enables RCE | n8n | 9.9 |
| HIGH | CVE-2026-45370 | utcp-cli: env leak exfiltrates all agent process secrets | utcp-cli | 7.7 |
| HIGH | CVE-2026-45402 | open-webui: auth bypass exposes any user's private files via RAG | open-webui | 8.1 |
| HIGH | CVE-2026-45401 | open-webui: SSRF redirect bypass exposes internal services | open-webui | 8.5 |
| MEDIUM | CVE-2026-45386 | open-webui: auth bypass lets read-only users pin messages | open-webui | 4.3 |
| HIGH | CVE-2026-45350 | open-webui: missing authz allows admin tool hijacking | open-webui | 7.1 |
| HIGH | CVE-2026-45315 | open-webui: stored XSS → JWT theft and admin takeover | open-webui | 8.7 |
| CRITICAL | CVE-2026-45311 | deepseek-tui: prompt injection enables zero-approval RCE | deepseek-tui | 9.6 |
| HIGH | CVE-2026-45310 | deepseek-tui: SSRF bypass leaks cloud IAM credentials | deepseek-tui | 7.4 |
| HIGH | CVE-2026-45539 | Microsoft APM: symlink attack leaks host files in agent deps | apm | 7.4 |
| HIGH | CVE-2026-45548 | @budibase/server: SSRF in AI Extract bypasses IP blacklist | @budibase/server | 7.7 |
| MEDIUM | CVE-2026-45582 | n8n-mcp: telemetry leak exposes workflow URL secrets | n8n-mcp | 6.5 |
| CRITICAL | CVE-2026-45829 | ChromaDB: pre-auth RCE via trust_remote_code injection | chromadb | 10.0 |
| HIGH | CVE-2026-45707 | n8n-mcp: tenant isolation bypass, operator RCE risk | n8n-mcp | 8.1 |
| CRITICAL | CVE-2026-2611 | MLflow: cross-origin bypass enables RCE via AI agent | mlflow | 9.6 |
| CRITICAL | CVE-2026-45758 | guardrails-ai: malicious 0.10.1 enables host compromise | guardrails-ai | 9.6 |