Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | CVE-2026-32018 | OpenClaw: race condition corrupts sandbox registry state | OpenClaw | 3.6 |
| LOW | CVE-2026-32020 | OpenClaw: symlink traversal enables arbitrary file read | OpenClaw | 3.3 |
| HIGH | CVE-2026-32025 | OpenClaw: WebSocket auth bypass enables agent hijack | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32022 | OpenClaw: grep safeBins bypass enables arbitrary file read | OpenClaw | 6.5 |
| HIGH | CVE-2026-32023 | OpenClaw: approval gating bypass enables shell execution | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-32021 | OpenClaw: auth bypass via Feishu display name spoofing | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32033 | OpenClaw: path traversal leaks files outside workspace | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32027 | OpenClaw: authorization bypass in group sender allowlist | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32028 | OpenClaw: auth bypass enables unauthorized agent execution | OpenClaw | 5.3 |
| HIGH | CVE-2026-32032 | OpenClaw: SHELL env var injection enables local RCE | OpenClaw | 7.8 |
| MEDIUM | CVE-2026-32029 | OpenClaw: IP spoofing bypasses rate-limiting controls | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-32026 | OpenClaw: sandbox path traversal leaks host temp files | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32031 | OpenClaw: auth bypass in plugin channel gateway | OpenClaw | 4.8 |
| HIGH | CVE-2026-32030 | OpenClaw: path traversal exposes host files via SCP | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32039 | OpenClaw: auth bypass grants privileged tool access | OpenClaw | 5.9 |
| MEDIUM | CVE-2026-32037 | OpenClaw: SSRF bypass via MSTeams redirect chain | OpenClaw | 6.0 |
| MEDIUM | CVE-2026-32041 | OpenClaw: auth bypass exposes browser-control RCE | OpenClaw | 6.9 |
| MEDIUM | CVE-2026-32040 | OpenClaw: XSS via HTML export mimeType injection | OpenClaw | 4.6 |
| MEDIUM | CVE-2026-32035 | OpenClaw: auth bypass grants owner-level tool access | OpenClaw | 5.9 |
| CRITICAL | CVE-2026-32038 | OpenClaw: sandbox bypass enables container lateral movement | OpenClaw | 9.8 |