Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-32065 | OpenClaw: approval bypass enables unauthorized command exec | OpenClaw | 4.8 |
| LOW | CVE-2026-32897 | OpenClaw: auth token leak via prompt hash fallback | OpenClaw | 3.7 |
| HIGH | CVE-2026-32914 | OpenClaw: access control bypass in config/debug handlers | OpenClaw | 8.8 |
| CRITICAL | CVE-2026-32913 | OpenClaw: auth header leak via cross-origin redirect | OpenClaw | 9.3 |
| MEDIUM | CVE-2026-32896 | OpenClaw: auth bypass via webhook passwordless fallback | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-32899 | OpenClaw: sender-policy bypass injects unauthorized agent events | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-32898 | OpenClaw: ACP bypass enables silent tool execution | OpenClaw | 5.4 |
| HIGH | CVE-2026-32915 | OpenClaw: sandbox bypass enables sibling agent hijack | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-32895 | OpenClaw: auth bypass circumvents Slack event allowlists | OpenClaw | 5.4 |
| CRITICAL | CVE-2026-32916 | OpenClaw: auth bypass enables unauth agent execution | OpenClaw | 9.4 |
| CRITICAL | CVE-2026-32922 | OpenClaw: privilege escalation to RCE via token scope bypass | OpenClaw | 9.9 |
| HIGH | CVE-2026-32920 | OpenClaw: workspace plugin auto-load enables RCE | OpenClaw | 8.4 |
| MEDIUM | CVE-2026-32919 | OpenClaw: auth bypass enables unauthorized session reset | OpenClaw | 6.1 |
| HIGH | CVE-2026-32918 | OpenClaw: session sandbox escape exposes cross-agent state | OpenClaw | 8.4 |
| MEDIUM | CVE-2026-32923 | OpenClaw: auth bypass enables Discord reaction context injection | OpenClaw | 5.4 |
| MEDIUM | CVE-2026-32921 | OpenClaw: script approval bypass allows code execution | OpenClaw | 6.3 |
| CRITICAL | CVE-2026-32917 | OpenClaw: RCE via unsanitized iMessage SCP paths | OpenClaw | 9.8 |
| HIGH | CVE-2026-32971 | OpenClaw: approval UI spoofing enables local RCE | OpenClaw | 7.1 |
| CRITICAL | CVE-2026-32924 | OpenClaw: auth bypass via Feishu reaction misclassification | OpenClaw | 9.8 |
| HIGH | CVE-2026-32972 | OpenClaw: auth bypass enables persistent CDP backdoor | OpenClaw | 7.1 |