Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-53836 | OpenClaw: PowerShell allowlist bypass enables arbitrary RCE | OpenClaw | 8.8 |
| CRITICAL | CVE-2026-53838 | OpenClaw: approval scope bypass via reconnection state | OpenClaw | 9.8 |
| MEDIUM | GHSA-gr75-jv2w-4656 | LangChain: path traversal exposes files outside sandbox | langchain-anthropic | 5.1 |
| MEDIUM | CVE-2026-48520 | Langflow: unauth file read via Shareable Playground | langflow | 6.1 |
| CRITICAL | CVE-2026-48519 | Langflow: unauthenticated RCE via Shareable Playground | langflow | 9.6 |
| HIGH | CVE-2026-33760 | Langflow: IDOR exposes cross-user LLM data and deletion | langflow | 8.8 |
| UNKNOWN | CVE-2026-54311 | n8n: prototype pollution leaks cross-user workflow data | n8n | - |
| MEDIUM | CVE-2026-54306 | n8n: webhook prototype pollution enables confused deputy | n8n | - |
| HIGH | CVE-2026-54301 | n8n: XSS via CSP bypass steals user sessions | n8n | - |
| MEDIUM | CVE-2026-54308 | n8n: unauthed webhook bypass hijacks AI agent workflows | n8n | - |
| HIGH | GHSA-hv7x-3x78-gx53 | n8n: auth bypass lets read-only users execute workflows | n8n | 7.4 |
| UNKNOWN | CVE-2026-54313 | n8n: MongoDB query injection overwrites arbitrary documents | n8n | - |
| UNKNOWN | CVE-2026-54310 | n8n: SQL injection in Postgres nodes, CVSS 9.9 | n8n | - |
| UNKNOWN | CVE-2026-49465 | n8n: Git node path traversal bypasses file sandbox | n8n | - |
| UNKNOWN | CVE-2026-49444 | n8n: Python sandbox escape enables container RCE | n8n | - |
| HIGH | CVE-2026-53840 | OpenClaw: credential exfiltration via MCP header forwarding | openclaw | 7.1 |
| MEDIUM | CVE-2026-53841 | OpenClaw: XSS via unsafe links in exported session HTML | openclaw | 6.1 |
| HIGH | CVE-2026-53842 | OpenClaw: env var injection enables arbitrary code exec | openclaw | 7.1 |
| HIGH | CVE-2026-53843 | OpenClaw: revocation bypass grants node token access | openclaw | 8.8 |
| MEDIUM | CVE-2026-53844 | OpenClaw: auth bypass exposes cross-session agent memory | openclaw | 6.5 |