Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-53845 | OpenClaw: hook bypass enables audit/policy evasion | openclaw | 4.3 |
| HIGH | CVE-2026-53846 | OpenClaw: path traversal enables arbitrary package-manager exec | openclaw | 7.1 |
| MEDIUM | CVE-2026-53847 | OpenClaw: privilege escalation via write scope bypass | openclaw | 5.4 |
| MEDIUM | CVE-2026-53848 | OpenClaw: exec allowlist bypass via command wrappers | openclaw | 4.3 |
| HIGH | CVE-2026-53849 | OpenClaw: auth bypass via Discord display name spoofing | openclaw | 8.1 |
| MEDIUM | CVE-2026-53850 | OpenClaw: auth bypass allows unauthorized focus state change | openclaw | 5.5 |
| MEDIUM | CVE-2026-53851 | OpenClaw: Slack reaction bypass triggers agent pipeline | openclaw | 5.3 |
| MEDIUM | CVE-2026-53852 | OpenClaw: scope bypass allows unauthorized device access | openclaw | 5.4 |
| HIGH | CVE-2026-53853 | OpenClaw: exec allowlist bypass enables unrestricted RCE | openclaw | 8.3 |
| MEDIUM | CVE-2026-53854 | OpenClaw: privilege escalation via channel auth wildcard | openclaw | 6.5 |
| HIGH | CVE-2026-53855 | OpenClaw: allowlist bypass enables shell code execution | openclaw | 8.1 |
| MEDIUM | CVE-2026-53856 | OpenClaw: insecure permissions expose agent config | openclaw | 5.5 |
| HIGH | CVE-2026-53857 | OpenClaw: display name spoofing bypasses agent allowFrom policy | openclaw | 8.1 |
| HIGH | CVE-2026-53858 | OpenClaw: env var injection loads malicious runtime deps | openclaw | 7.1 |
| MEDIUM | CVE-2026-53859 | OpenClaw: SSRF blocklist bypass via trailing-dot | openclaw | 6.5 |
| MEDIUM | CVE-2026-53860 | OpenClaw: sender allowlist bypass via conversation metadata | openclaw | 4.2 |
| MEDIUM | CVE-2026-53861 | OpenClaw: allowlist bypass enables arbitrary shell exec | openclaw | 6.6 |
| MEDIUM | CVE-2026-53862 | OpenClaw: bootstrap token replay enables scope escalation | openclaw | 4.2 |
| HIGH | CVE-2026-53863 | OpenClaw: access control bypass via unvalidated group ID | openclaw | 7.1 |
| HIGH | CVE-2026-53864 | OpenClaw: env var bypass enables child process code exec | openclaw | 8.1 |