Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-27646 | OpenClaw: sandbox escape via /acp spawn command | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27524 | OpenClaw: prototype pollution bypasses command gate | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-27545 | OpenClaw: symlink race bypasses agent run approval | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27523 | OpenClaw: sandbox path traversal bypasses bind isolation | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27670 | OpenClaw: TOCTOU race enables arbitrary file write in agents | OpenClaw | 5.3 |
| HIGH | CVE-2026-28460 | OpenClaw: allowlist bypass enables OS command execution | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-28449 | OpenClaw: webhook replay triggers duplicate agent actions | OpenClaw | 6.5 |
| HIGH | CVE-2026-28461 | OpenClaw: webhook DoS via memory exhaustion | OpenClaw | 7.5 |
| HIGH | CVE-2026-31989 | OpenClaw: SSRF in citation redirect exposes internal network | OpenClaw | 7.4 |
| MEDIUM | CVE-2026-31990 | OpenClaw: symlink traversal enables arbitrary file write | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-29607 | OpenClaw: auth bypass enables unapproved RCE via wrapper | OpenClaw | 6.8 |
| MEDIUM | CVE-2026-29608 | OpenClaw: argv rewrite bypasses approval, enables RCE | OpenClaw | 6.7 |
| LOW | CVE-2026-31991 | OpenClaw: auth bypass via DM pairing grants group access | OpenClaw | 3.7 |
| HIGH | CVE-2026-31992 | OpenClaw: guardrail allowlist bypass enables arbitrary command execution | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31995 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 5.3 |
| HIGH | CVE-2026-32000 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31993 | OpenClaw: exec approval bypass allows RCE on macOS | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-31997 | OpenClaw: post-approval PATH rebind enables arbitrary RCE | OpenClaw | 6.0 |
| HIGH | CVE-2026-31998 | OpenClaw: auth bypass enables unauthorized agent dispatch | OpenClaw | 8.6 |
| MEDIUM | CVE-2026-31999 | OpenClaw: CWD injection enables integrity loss on Windows | OpenClaw | 6.3 |