Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-48146 | Budibase: SSRF in OAuth2 exposes cloud credentials | @budibase/server | 7.7 |
| MEDIUM | CVE-2026-48121 | LangGraph MongoDB: NoSQL injection leaks tenant checkpoints | @langchain/langgraph-checkpoint-mongodb | 6.7 |
| MEDIUM | CVE-2026-53820 | OpenClaw: exec denylist bypass via MCP session-spawn | OpenClaw | 6.6 |
| HIGH | CVE-2026-53822 | OpenClaw: TOCTOU command injection bypasses allowlist | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-53824 | OpenClaw: stale slash tokens bypass revocation controls | OpenClaw | 6.5 |
| HIGH | CVE-2026-53821 | OpenClaw: auth bypass grants admin RPC via WebSocket | OpenClaw | 8.8 |
| HIGH | CVE-2026-53823 | OpenClaw: privilege escalation via Slack display name spoofing | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-53825 | OpenClaw: path traversal exposes local files via wiki ingest | OpenClaw | 6.5 |
| HIGH | CVE-2026-53831 | OpenClaw: safe-bin allowlist bypass via shell expansion | OpenClaw | 8.3 |
| MEDIUM | CVE-2026-53826 | OpenClaw: workspace path leaked from sandboxed sessions | OpenClaw | 4.3 |
| HIGH | CVE-2026-53828 | OpenClaw: auth bypass enables owner command execution | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-53827 | OpenClaw: SSRF leaks Gateway credentials via model metadata | OpenClaw | 6.5 |
| HIGH | CVE-2026-53832 | OpenClaw: identity header spoof grants operator access | OpenClaw | 7.7 |
| HIGH | CVE-2026-53833 | OpenClaw: auth bypass allows agent config mutation | openclaw | 7.7 |
| MEDIUM | CVE-2026-53830 | OpenClaw: stale webhook secrets bypass revocation | OpenClaw | 6.5 |
| HIGH | CVE-2026-53829 | OpenClaw: approval truncation bypasses exec oversight | OpenClaw | 8.0 |
| MEDIUM | CVE-2026-53839 | OpenClaw: hostname prefix bypass leaks auth tokens | OpenClaw | 6.5 |
| HIGH | CVE-2026-53834 | OpenClaw: auth bypass in QQBot pre-dispatch commands | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-53835 | OpenClaw: auth bypass in Feishu agent binding controls | OpenClaw | 4.3 |
| LOW | CVE-2026-53837 | OpenClaw: DM policy bypass via Mattermost event spoofing | OpenClaw | 3.7 |