Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-5jv7-2mjm-h6qj | praisonai: shell allowlist bypass enables OS command injection | praisonai | 8.8 |
| HIGH | GHSA-h2w2-v7j6-xqm4 | praisonai: tool approval bypass executes denied actions | praisonai | 8.8 |
| CRITICAL | GHSA-j4f3-55x4-r6q2 | praisonai: MCP HTTP server unauthenticated tool invocation | praisonai | 9.8 |
| CRITICAL | GHSA-9752-mhqh-h34f | praisonai npm: AgentOS missing auth enables agent abuse | praisonai | 9.4 |
| CRITICAL | GHSA-p69m-4f92-2v84 | praisonai: sandbox escape in codeMode → full host RCE | praisonai | 9.8 |
| HIGH | GHSA-vjv9-7m7j-h833 | praisonai (npm): allowlist bypass enables RCE | praisonai | 8.8 |
| CRITICAL | GHSA-vmmj-pfw7-fjwp | praisonai: sandbox escape gives RCE via codeMode tool | praisonai | 9.9 |
| HIGH | GHSA-gqmf-56h7-rrpf | praisonai: network-isolated sandbox bypass exposes host network | praisonai | 7.6 |
| HIGH | GHSA-4qq2-2j2x-x62c | praisonai: MCP auth bypass exposes agent tools | praisonai | 8.2 |
| MEDIUM | CVE-2026-22551 | @theia/ai-chat: prompt injection exfiltrates workspace secrets | @theia/ai-ide | - |
| HIGH | CVE-2026-44688 | Eclipse Theia: indirect prompt injection → RCE + exfil | @theia/ai-ide | - |
| HIGH | CVE-2026-46580 | Eclipse Theia: workspace prompt injection enables RCE/exfil | @theia/ai-editor | - |
| HIGH | GHSA-fq4x-789w-jg5h | agenticmail: email prompt injection → bypassPermissions RCE | @agenticmail/openclaw | - |
| HIGH | CVE-2026-56075 | PraisonAI: RCE via hardcoded approval_mode bypass | PraisonAI | 8.8 |
| MEDIUM | CVE-2026-56074 | PraisonAI: tool approval bypass enables credential theft | PraisonAI | 5.5 |
| HIGH | CVE-2026-56078 | PraisonAI: path traversal → arbitrary file read/write/RCE | PraisonAI | 8.8 |
| MEDIUM | CVE-2026-56077 | PraisonAI: agent ID collision leaks system prompts | PraisonAI | 6.5 |
| HIGH | CVE-2026-56076 | PraisonAI: CORS bypass enables arbitrary agent execution | PraisonAI | 8.1 |
| HIGH | GHSA-vcv2-r9jh-99m5 | agentic-flow: MCP tool args enable OS command injection RCE | 8.8 | |
| HIGH | CVE-2026-49357 | line-desktop-mcp: unauthenticated HTTP exposes LINE chats | line-desktop-mcp | - |