Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-35622 | OpenClaw: auth bypass in Google Chat webhook | OpenClaw | 5.9 |
| HIGH | CVE-2026-35638 | OpenClaw: priv escalation via trusted-proxy scope bypass | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-35634 | OpenClaw: auth bypass grants unauthenticated Canvas access | OpenClaw | 5.1 |
| HIGH | CVE-2026-35632 | OpenClaw: symlink traversal enables RCE via agent config | OpenClaw | 7.1 |
| HIGH | CVE-2026-35637 | OpenClaw: auth bypass via premature cite expansion | OpenClaw | 7.3 |
| MEDIUM | CVE-2026-35631 | OpenClaw: auth bypass on ACP mutating commands | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35635 | OpenClaw: webhook route hijack bypasses DM access controls | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35633 | OpenClaw: unbounded memory alloc DoS via crafted HTTP errors | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35636 | OpenClaw: session isolation bypass exposes parent sessions | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35644 | OpenClaw: credential exposure via gateway channel URLs | OpenClaw | 6.5 |
| HIGH | CVE-2026-35639 | OpenClaw: scope bypass enables admin RCE via device pairing | OpenClaw | 8.8 |
| HIGH | CVE-2026-35645 | OpenClaw: privilege escalation via synthetic admin session scope | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-35642 | OpenClaw: auth bypass injects restricted agent events | OpenClaw | 4.3 |
| HIGH | CVE-2026-35643 | OpenClaw: WebView bridge injection enables Android RCE | OpenClaw | 8.8 |
| HIGH | CVE-2026-35641 | OpenClaw: RCE via .npmrc override in plugin install | OpenClaw | 7.8 |
| LOW | CVE-2026-35648 | OpenClaw: policy bypass via stale queued node actions | OpenClaw | 3.7 |
| HIGH | CVE-2026-35653 | OpenClaw: auth bypass enables agent profile destruction | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-35652 | OpenClaw: auth bypass enables unauthorized action execution | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35654 | OpenClaw: auth bypass on Teams feedback invoke | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35649 | OpenClaw: access control bypass via allowlist reconciliation | OpenClaw | 6.5 |