Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-53865 | OpenClaw: path traversal enables arbitrary local code exec | openclaw | 7.1 |
| HIGH | CVE-2026-53866 | OpenClaw: allowlist bypass allows unauthorized shell exec | openclaw | 8.1 |
| MEDIUM | CVE-2026-48775 | LangGraph SQLite: deserialization RCE at checkpoint load | langgraph | 6.8 |
| LOW | CVE-2026-54326 | pi-coding-agent: XSS in HTML exports via prompt injection | 2.5 | |
| UNKNOWN | CVE-2026-54304 | n8n: credential exfiltration via SecurityScorecard SSRF node | n8n | - |
| UNKNOWN | CVE-2026-54309 | n8n: MCP browser auth bypass allows full browser takeover | n8n | - |
| UNKNOWN | CVE-2026-54305 | n8n: IDOR enables OAuth credential hijack in agent workflows | n8n | - |
| UNKNOWN | CVE-2026-54307 | n8n: credential hijack via partial authorization bypass | n8n | - |
| MEDIUM | CVE-2026-54314 | n8n: decompression bomb DoS via public webhook | n8n | - |
| MEDIUM | GHSA-h3jj-5f3v-3685 | n8n: read-only users can trigger workflow execution via API | n8n | 6.4 |
| MEDIUM | GHSA-jwm3-qcfw-c5pp | n8n: AST bypass leaks env vars in Python Task Runner | n8n | 5.0 |
| UNKNOWN | CVE-2026-54302 | n8n: stored XSS in Chat Trigger enables session hijack | n8n | - |
| MEDIUM | CVE-2026-54303 | n8n: reflected XSS in trigger nodes enables session hijack | n8n | - |
| UNKNOWN | CVE-2026-54312 | n8n: prototype pollution renders instance non-functional | n8n | - |
| MEDIUM | CVE-2026-48776 | LangGraph SDK: path traversal bypasses proxy-layer authz | langchain-ai | 4.2 |
| MEDIUM | CVE-2026-48782 | pydantic-ai: SSRF IPv6 bypass exposes cloud IAM creds | pydantic-ai | 6.8 |
| MEDIUM | CVE-2026-54016 | Open WebUI: BOLA exposes private knowledge base files | open-webui | 4.3 |
| HIGH | CVE-2026-54012 | Open WebUI: auth bypass enables cross-user file read/delete | open-webui | 7.1 |
| HIGH | CVE-2026-54007 | open-webui: cross-origin postMessage forces model execution | open-webui | - |
| MEDIUM | GHSA-664h-gpgq-h6xx | n8n: viewer role can start/cancel/delete eval workflow runs | n8n | 5.4 |