Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-33574 | OpenClaw: TOCTOU path traversal enables arbitrary file write | OpenClaw | 6.2 |
| HIGH | CVE-2026-33577 | OpenClaw: scope bypass lets low-priv ops elevate node access | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-34506 | OpenClaw: auth bypass lets any Teams user invoke AI agent | OpenClaw | 4.3 |
| HIGH | CVE-2026-34512 | OpenClaw: improper authz allows admin session kill | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-33581 | OpenClaw: sandbox bypass enables arbitrary file read | OpenClaw | 6.5 |
| HIGH | CVE-2026-34503 | OpenClaw: WebSocket session persists after token revocation | OpenClaw | 8.1 |
| HIGH | CVE-2026-34504 | OpenClaw: SSRF in fal provider exposes internal services | OpenClaw | 8.3 |
| MEDIUM | CVE-2026-34505 | OpenClaw: webhook rate-limit bypass enables brute-force | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35620 | OpenClaw: missing authz enables session policy hijack | OpenClaw | 5.4 |
| MEDIUM | CVE-2026-35619 | OpenClaw: auth bypass exposes AI gateway model metadata | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-35617 | OpenClaw: auth bypass via group policy name collision | OpenClaw | 4.2 |
| MEDIUM | CVE-2026-35618 | OpenClaw: Plivo V2 replay bypass allows unauth actions | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35621 | OpenClaw: privilege escalation via scope bypass in allowlist | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35623 | OpenClaw: Brute-force auth bypass via webhook rate limit miss | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35624 | OpenClaw: auth bypass exposes protected Talk rooms | OpenClaw | 4.2 |
| MEDIUM | CVE-2026-35627 | OpenClaw: pre-auth DoS via Nostr DM resource exhaustion | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35626 | OpenClaw: unauthenticated DoS via webhook body buffering | OpenClaw | 5.3 |
| HIGH | CVE-2026-35625 | OpenClaw: privilege escalation to RCE via silent reconnect | OpenClaw | 7.8 |
| MEDIUM | CVE-2026-35628 | OpenClaw: webhook brute-force bypasses AI agent auth | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35622 | OpenClaw: auth bypass in Google Chat webhook | OpenClaw | 5.9 |