Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-31994 | OpenClaw: cmd injection via scheduled task generation | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31996 | OpenClaw: safeBins bypass allows file read/write | OpenClaw | 4.4 |
| MEDIUM | CVE-2026-32004 | OpenClaw: auth bypass exposes protected channel API | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32008 | OpenClaw: file:// bypass enables local file exfiltration | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32002 | OpenClaw: sandbox bypass exfiltrates files via vision API | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-32003 | OpenClaw: env var injection enables RCE via allowlist bypass | OpenClaw | 6.6 |
| MEDIUM | CVE-2026-32001 | OpenClaw: auth bypass enables unauthorized node role injection | OpenClaw | 5.4 |
| LOW | CVE-2026-32006 | OpenClaw: auth bypass via DM identity confusion in groups | OpenClaw | 3.1 |
| MEDIUM | CVE-2026-32007 | OpenClaw: path traversal enables sandbox file escape | OpenClaw | 6.8 |
| MEDIUM | CVE-2026-32005 | OpenClaw: auth bypass enables AI agent session poisoning | OpenClaw | 6.8 |
| HIGH | CVE-2026-32015 | OpenClaw: PATH hijack bypasses exec allowlist controls | OpenClaw | 7.8 |
| HIGH | CVE-2026-32013 | OpenClaw: symlink traversal enables host file read/write | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-32010 | OpenClaw: safeBins bypass enables arbitrary code execution | OpenClaw | 6.3 |
| MEDIUM | CVE-2026-32009 | OpenClaw: binary hijacking via safeBins path bypass | OpenClaw | 5.7 |
| HIGH | CVE-2026-32011 | OpenClaw: pre-auth webhook DoS exhausts parser resources | OpenClaw | 7.5 |
| HIGH | CVE-2026-32016 | OpenClaw: path bypass allows unauthorized binary execution | OpenClaw | 7.8 |
| HIGH | CVE-2026-32017 | OpenClaw: allowlist bypass enables arbitrary file write | OpenClaw | 7.1 |
| HIGH | CVE-2026-32014 | OpenClaw: metadata spoofing bypasses agent command policies | OpenClaw | 8.0 |
| HIGH | CVE-2026-32019 | OpenClaw: SSRF bypass via incomplete IPv4 range validation | OpenClaw | 7.4 |
| MEDIUM | CVE-2026-32024 | OpenClaw: symlink traversal leaks arbitrary local files | OpenClaw | 5.5 |