Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-2vx9-7wpg-88jq | n8n: path traversal bypasses file access restriction | n8n | 6.4 |
| HIGH | GHSA-hv85-774v-26fg | auth-fetch-mcp: SSRF + disk-exfil via unvalidated tool URLs | auth-fetch-mcp | 8.2 |
| CRITICAL | CVE-2026-46339 | 9router: unauthenticated RCE exposes LLM API keys | 9router | 10.0 |
| MEDIUM | CVE-2026-46341 | @apify/actors-mcp-server: URL bypass → LLM prompt injection | 6.1 | |
| CRITICAL | GHSA-3875-8gcx-7v46 | n8n: SSRF bypasses credential domain restrictions | n8n | 9.1 |
| MEDIUM | GHSA-c2c9-mfw7-p8hw | Flowise: cross-workspace chatflow config disclosure | flowise | - |
| MEDIUM | GHSA-59fh-9f3p-7m39 | Flowise: mass assignment bypasses password controls | flowise | - |
| MEDIUM | GHSA-m837-xvxr-vqwg | Flowise: hardcoded CORS wildcard enables drive-by credential abuse | flowise | - |
| CRITICAL | CVE-2026-46695 | Boxlite: read-only bypass enables host code execution | boxlite-cli | 10.0 |
| MEDIUM | CVE-2026-46678 | pydantic-ai: SSRF bypass exposes cloud IAM credentials | pydantic-ai-slim | 6.8 |
| HIGH | CVE-2026-46519 | mcp-server-kubernetes: auth bypass enables full cluster RCE | mcp-server-kubernetes | 8.8 |
| MEDIUM | CVE-2026-9468 | cline-mcp-memory-bank: path traversal in memory init | 6.3 | |
| CRITICAL | CVE-2026-7524 | Langflow: RCE via symlink traversal in archive extraction | langflow | 9.8 |
| CRITICAL | CVE-2026-25879 | langroid: Prompt-to-SQL injection enables RCE on DB host | langroid | 9.8 |
| MEDIUM | CVE-2026-46526 | local-deep-research: SSRF via URL parser differential bypass | local-deep-research | 5.0 |
| MEDIUM | CVE-2026-47128 | nono-cli: sandbox escape via Unix socket bypass | nono-cli | 6.1 |
| HIGH | CVE-2026-32905 | OpenClaw: auth bypass enables persistent device enrollment | openclaw | 8.3 |
| MEDIUM | CVE-2026-32906 | OpenClaw: privilege escalation bypasses Slack plugin approval gate | openclaw | 4.3 |
| MEDIUM | CVE-2026-34507 | OpenClaw: policy bypass enables unauthorized admin command execution | openclaw | 5.4 |
| HIGH | CVE-2026-35630 | OpenClaw: auth bypass enables unauthorized agent approval | openclaw | 8.0 |