Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-32974 | OpenClaw: auth bypass triggers forged webhook tool execution | OpenClaw | 8.6 |
| LOW | CVE-2026-32970 | OpenClaw: credential fallback bypasses local auth boundary | OpenClaw | 2.5 |
| MEDIUM | CVE-2026-32976 | OpenClaw: auth bypass mutates protected agent config | OpenClaw | 6.5 |
| CRITICAL | CVE-2026-32975 | OpenClaw: auth bypass via group name spoofing in agent | OpenClaw | 9.8 |
| CRITICAL | CVE-2026-32973 | OpenClaw: exec allowlist bypass enables RCE | OpenClaw | 9.8 |
| HIGH | CVE-2026-33572 | OpenClaw: insecure transcript files expose agent secrets | OpenClaw | 8.4 |
| HIGH | CVE-2026-32979 | OpenClaw: TOCTOU race enables local code execution | OpenClaw | 7.3 |
| CRITICAL | CVE-2026-32987 | OpenClaw: bootstrap code replay escalates to operator.admin | OpenClaw | 9.8 |
| HIGH | CVE-2026-32978 | OpenClaw: script approval bypass allows RCE | OpenClaw | 8.0 |
| HIGH | CVE-2026-32982 | OpenClaw: Telegram bot token leaked in media fetch errors | OpenClaw | 7.5 |
| HIGH | CVE-2026-32980 | OpenClaw: unauthenticated webhook DoS via body buffering | OpenClaw | 7.5 |
| HIGH | CVE-2026-32988 | OpenClaw: sandbox escape via fs-bridge TOCTOU race | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32977 | OpenClaw: TOCTOU race condition enables sandbox file escape | OpenClaw | 6.3 |
| CRITICAL | CVE-2026-33579 | OpenClaw: scope bypass escalates low-priv to admin | OpenClaw | 9.9 |
| MEDIUM | CVE-2026-33576 | OpenClaw: pre-auth media fetch enables disk exhaustion DoS | OpenClaw | 6.5 |
| HIGH | CVE-2026-33573 | OpenClaw: workspace boundary bypass, arbitrary exec | OpenClaw | 8.8 |
| HIGH | CVE-2026-33575 | OpenClaw: gateway credential exposed in pairing setup codes | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-33580 | OpenClaw: webhook brute-force enables event forgery | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-33578 | OpenClaw: allowlist bypass exposes AI agents to all users | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-33574 | OpenClaw: TOCTOU path traversal enables arbitrary file write | OpenClaw | 6.2 |