Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-32036 | OpenClaw: auth bypass via encoded path traversal in gateway | OpenClaw | 6.5 |
| HIGH | CVE-2026-32034 | OpenClaw: auth bypass enables high-privilege agent control | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-32043 | OpenClaw: TOCTOU symlink bypasses command approval guard | OpenClaw | 6.5 |
| LOW | CVE-2026-32050 | OpenClaw: auth bypass allows unauthorized status event injection | OpenClaw | 3.7 |
| MEDIUM | CVE-2026-32045 | OpenClaw: auth bypass exposes HTTP gateway routes | OpenClaw | 5.9 |
| HIGH | CVE-2026-32049 | OpenClaw: media limit bypass enables memory exhaustion DoS | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32044 | OpenClaw: archive safety bypass causes DoS in skill install | OpenClaw | 5.5 |
| HIGH | CVE-2026-32048 | OpenClaw: sandbox escape via cross-agent spawn bypass | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32046 | OpenClaw: sandbox bypass enables host code execution | OpenClaw | 5.3 |
| HIGH | CVE-2026-32042 | OpenClaw: privilege escalation via unpaired device identity | OpenClaw | 8.8 |
| HIGH | CVE-2026-32055 | OpenClaw: path traversal enables arbitrary file write | OpenClaw | 7.6 |
| LOW | CVE-2026-32058 | OpenClaw: approval bypass enables unauthorized agent execution | OpenClaw | 2.6 |
| HIGH | CVE-2026-32051 | OpenClaw: auth bypass lets operators invoke owner control-plane | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-32052 | OpenClaw: command injection via shell-wrapper argv bypass | OpenClaw | 6.4 |
| HIGH | CVE-2026-32056 | OpenClaw: RCE via shell env var injection in system.run | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32054 | OpenClaw: symlink traversal enables arbitrary file overwrite | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32053 | OpenClaw: webhook replay bypass corrupts agent call state | OpenClaw | 6.5 |
| HIGH | CVE-2026-32057 | OpenClaw: auth bypass grants unauthorized agent control access | OpenClaw | 7.1 |
| HIGH | CVE-2026-32064 | OpenClaw: unauthenticated VNC access in AI sandbox | OpenClaw | 7.7 |
| LOW | CVE-2026-32067 | OpenClaw: auth bypass enables cross-account pairing reuse | OpenClaw | 3.7 |