Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-55450 | Langflow: unauthenticated upload → DoS + path disclosure | langflow | 9.3 |
| HIGH | CVE-2026-54017 | open-webui: double-encoded path traversal in terminal proxy | open-webui | 7.7 |
| MEDIUM | GHSA-2fjj-qqg8-fg7x | praisonai-platform: cross-tenant IDOR poisons project stats | praisonai-platform | 4.3 |
| CRITICAL | GHSA-cwj8-7gp2-ggcw | praisonai-platform: hardcoded JWT secret enables full auth bypass | praisonai-platform | 9.8 |
| HIGH | GHSA-6jcq-6546-qrrw | PraisonAI: sandbox escape via silent Landlock fallback | praisonaiagents | 8.8 |
| HIGH | GHSA-8ccj-p46r-jwqq | PraisonAI: auth bypass exposes full agent invocation API | praisonai | 8.2 |
| HIGH | GHSA-4pcv-mg8v-vrgf | praisonaiagents: SSRF + prompt injection, IAM cred exposure | praisonaiagents | 8.8 |
| CRITICAL | GHSA-f38v-77qj-h4jq | praisonai-platform: hardcoded JWT secret enables full auth bypass | praisonai-platform | 9.8 |
| CRITICAL | GHSA-29w3-p9w9-wc47 | PraisonAI: multiedit path traversal, arbitrary file R/W | praisonai | 9.1 |
| HIGH | GHSA-jxcw-qp4h-6jfq | praisonai: incomplete auth fix exposes A2U agent streams | praisonai | 7.5 |
| HIGH | GHSA-7qw2-w5rc-37x2 | PraisonAI: workflow policy bypass enables shell RCE | praisonaiagents | 7.8 |
| HIGH | GHSA-c969-5x3p-vq3v | praisonaiagents: IMAP injection via prompt → email exfil | praisonaiagents | 8.1 |
| HIGH | GHSA-f44v-7qgw-9gh9 | PraisonAI: path traversal enables arbitrary write/delete | praisonai | 8.1 |
| HIGH | GHSA-gcq3-mfvh-3x25 | PraisonAI: workspace bypass allows arbitrary file read/write | praisonai | 7.3 |
| CRITICAL | GHSA-p75f-6fp4-p57w | PraisonAI: unauthenticated RCE via MCP connect endpoint | praisonai | 9.8 |
| HIGH | GHSA-x92v-rpx6-p6cw | PraisonAI: webhook auth bypass enables agent prompt injection | praisonai | 8.6 |
| HIGH | GHSA-rh39-9c67-59mh | PraisonAI: member role can delete all workspace resources | praisonai-platform | 8.1 |
| CRITICAL | GHSA-892r-p3jq-jp24 | PraisonAI AgentOS: unauth remote agent invocation (CVSS 9.8) | praisonai | 9.8 |
| CRITICAL | GHSA-x8cv-xmq7-p8xp | praisonaiagents: unauth AgentTeam API allows agent takeover | praisonaiagents | 9.8 |
| HIGH | GHSA-rjvw-7vvw-549v | PraisonAI: DNS rebinding bypasses webhook SSRF guard | praisonai | 7.2 |