Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-35673 | OpenClaw: SSRF bypass exposes private network access | openclaw | 6.5 |
| HIGH | CVE-2026-35674 | OpenClaw: scope bypass enables full agent admin takeover | openclaw | 8.8 |
| CRITICAL | CVE-2026-47416 | praisonai-platform: member-to-owner privilege escalation | praisonai-platform | 9.6 |
| HIGH | CVE-2026-47409 | praisonai-platform: auth bypass enables owner lockout | praisonai-platform | 8.1 |
| HIGH | CVE-2026-47414 | praisonai-platform: IDOR cross-workspace label tampering | praisonai-platform | 7.6 |
| HIGH | CVE-2026-47406 | praisonai-platform: IDOR enables cross-workspace data poisoning | praisonai-platform | 8.1 |
| CRITICAL | CVE-2026-47410 | praisonai-platform: hardcoded JWT → full account takeover | praisonai-platform | 9.8 |
| HIGH | CVE-2026-47405 | PraisonAI Platform: member self-promotes to workspace owner | praisonai-platform | 8.8 |
| HIGH | CVE-2026-47399 | praisonai-platform: IDOR breaks workspace tenant isolation | praisonai-platform | 8.8 |
| CRITICAL | CVE-2026-47407 | praisonai-platform: IDOR enables cross-tenant agent hijack | praisonai-platform | - |
| MEDIUM | CVE-2026-47408 | praisonai-platform: IDOR exposes cross-tenant activity logs | praisonai-platform | 6.5 |
| HIGH | CVE-2026-48169 | praisonai-platform: IDOR allows full workspace takeover | praisonai-platform | 8.8 |
| HIGH | CVE-2026-47397 | PraisonAI: arbitrary file write via hidden webpage metadata | PraisonAI | - |
| CRITICAL | CVE-2026-47391 | PraisonAI: Unauth RCE via A2A eval injection | PraisonAI | 9.8 |
| HIGH | CVE-2026-47394 | PraisonAI: MCP path traversal exfiltrates host credentials | PraisonAI | - |
| CRITICAL | CVE-2026-47392 | praisonaiagents: RCE via Python sandbox bypass | PraisonAI | 9.9 |
| MEDIUM | CVE-2026-47395 | PraisonAI: SSRF via @url mention exposes localhost services | PraisonAI | 5.5 |
| CRITICAL | CVE-2026-47393 | PraisonAI: auth bypass in deployed API exposes LLM + tools | PraisonAI | 9.8 |
| CRITICAL | CVE-2026-47396 | PraisonAI: fail-open auth exposes remote agent control API | PraisonAI | 9.8 |
| MEDIUM | CVE-2026-47390 | PraisonAI: SSRF bypass via loopback alias encodings | PraisonAI | 5.5 |