Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-46479 | Flowise: mass assignment cross-workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-46480 | Flowise: mass-assignment allows cross-workspace takeover | flowise | 8.8 |
| CRITICAL | CVE-2026-46703 | Boxlite: OCI symlink traversal enables host RCE | boxlite | 9.6 |
| MEDIUM | CVE-2026-3341 | Langflow: SSRF exposes internal ML infrastructure | langflow | 5.4 |
| HIGH | CVE-2026-7787 | Langflow: IDOR bypasses auth, exposes sensitive AI configs | langflow | 8.1 |
| HIGH | CVE-2026-53811 | OpenClaw: privilege escalation via identity spoofing | openclaw | 8.8 |
| LOW | CVE-2026-53809 | OpenClaw: policy bypass exposes restricted tool access | openclaw | 3.8 |
| HIGH | CVE-2026-53812 | OpenClaw: SSRF bypasses private-network access controls | openclaw | 7.7 |
| HIGH | CVE-2026-53807 | OpenClaw: auth bypass allows unauthorized command execution | OpenClaw | 8.8 |
| HIGH | CVE-2026-53806 | OpenClaw: shell flag bypass enables RCE in agent exec | openclaw | 8.8 |
| HIGH | CVE-2026-53813 | OpenClaw: path traversal enables RCE via memory-core artifacts | openclaw | 7.8 |
| HIGH | CVE-2026-53810 | OpenClaw: extension metadata bypass enables agent RCE | openclaw | 8.8 |
| MEDIUM | CVE-2026-53808 | OpenClaw: approval bypass enables unauthorized skill changes | OpenClaw | 6.5 |
| HIGH | CVE-2026-53819 | OpenClaw: RCE via workspace .env executable override | openclaw | 8.8 |
| HIGH | CVE-2026-53816 | OpenClaw: node event forgery bypasses exec authorization | openclaw | 7.2 |
| MEDIUM | CVE-2026-53815 | OpenClaw: auth bypass exposes restricted channel messages | openclaw | 6.5 |
| HIGH | CVE-2026-53814 | OpenClaw: privilege escalation via hook-triggered MCP scope | openclaw | 8.3 |
| HIGH | CVE-2026-53817 | OpenClaw: locality spoof yields durable admin credentials | openclaw | 8.8 |
| MEDIUM | CVE-2026-53818 | OpenClaw: MCP loopback auth bypass enables policy evasion | openclaw | 6.6 |
| MEDIUM | CVE-2026-10548 | hermes-agent: auth bypass exposes Anthropic API credentials | 5.3 |