Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-56348 | n8n: SSRF bypasses allowlist, exfiltrates credentials | n8n | 9.1 |
| MEDIUM | CVE-2026-56357 | n8n: webhook forgery enables unauthorized workflow execution | n8n | 4.0 |
| HIGH | CVE-2025-71337 | Flowise: account takeover via unverified email change | Flowise | 8.3 |
| UNKNOWN | CVE-2026-56275 | Flowise: SSRF bypasses security check in Execute Flow | Flowise | - |
| CRITICAL | CVE-2026-56274 | Flowise: RCE via MCP server command validation bypass | Flowise | 9.9 |
| MEDIUM | CVE-2026-22168 | OpenClaw: cmd.exe argument smuggling evades approval log | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-22169 | OpenClaw: safeBins allowlist bypass enables command exec | OpenClaw | 6.7 |
| MEDIUM | CVE-2026-22174 | OpenClaw: local token leak via CDP probe hijack | OpenClaw | 6.8 |
| HIGH | CVE-2026-22175 | OpenClaw: allowlist bypass lets agents run any command | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-22170 | OpenClaw: empty allowlist bypasses BlueBubbles DM auth | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-22180 | OpenClaw: path traversal enables arbitrary file writes | OpenClaw | 5.3 |
| HIGH | CVE-2026-22179 | OpenClaw: allowlist bypass enables arbitrary OS command exec | OpenClaw | 7.2 |
| MEDIUM | CVE-2026-22176 | OpenClaw: cmd injection in Windows task script generation | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-22178 | OpenClaw: ReDoS via Feishu mention metadata | OpenClaw | 6.5 |
| HIGH | CVE-2026-22171 | OpenClaw: path traversal allows arbitrary file write | OpenClaw | 8.2 |
| MEDIUM | CVE-2026-22217 | OpenClaw: $SHELL env hijack enables arbitrary code execution | OpenClaw | 6.1 |
| HIGH | CVE-2026-22181 | OpenClaw: SSRF guard bypass exposes internal services | OpenClaw | 7.6 |
| MEDIUM | CVE-2026-27183 | OpenClaw: shell allowlist bypass via dispatch wrapper depth | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-27522 | OpenClaw: path traversal enables arbitrary file read via media actions | OpenClaw | 6.5 |
| HIGH | CVE-2026-27566 | OpenClaw: allowlist bypass enables arbitrary OS command exec | OpenClaw | 7.1 |