Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-35647 | OpenClaw: access control bypass allows DM policy evasion | OpenClaw | 5.3 |
| HIGH | CVE-2026-35650 | OpenClaw: env var override bypass enables code execution | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-35658 | OpenClaw: sandbox bypass exposes host filesystem reads | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35659 | OpenClaw: DNS-SD metadata hijacks CLI routing | OpenClaw | 4.6 |
| MEDIUM | CVE-2026-35655 | OpenClaw: identity spoofing bypasses agent safety checks | OpenClaw | 5.7 |
| HIGH | CVE-2026-35660 | OpenClaw: auth bypass allows admin session hijacking | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-35656 | OpenClaw: auth bypass via X-Forwarded-For spoofing | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35662 | OpenClaw: missing auth enables agent scope bypass | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-35661 | OpenClaw: auth bypass mutates AI agent session state | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35670 | OpenClaw: webhook rebinding exposes user data | OpenClaw | 5.9 |
| MEDIUM | CVE-2026-35665 | OpenClaw: pre-auth resource exhaustion via Feishu webhook DoS | OpenClaw | 5.3 |
| HIGH | CVE-2026-35663 | OpenClaw: privilege escalation to admin via backend reconnect | OpenClaw | 8.8 |
| HIGH | CVE-2026-35669 | OpenClaw: privilege escalation via plugin scope bypass | OpenClaw | 8.8 |
| HIGH | CVE-2026-35666 | OpenClaw: allowlist bypass enables arbitrary command exec | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-35664 | OpenClaw: auth bypass enables unauthorized callback injection | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35667 | OpenClaw: SIGKILL bypass skips security-sensitive cleanup | OpenClaw | 6.1 |
| HIGH | CVE-2026-35668 | OpenClaw: sandbox path traversal exposes agent secrets | OpenClaw | 7.7 |
| MEDIUM | CVE-2026-40037 | OpenClaw: request body replay leaks credentials via redirect | OpenClaw | 6.5 |
| HIGH | CVE-2026-54320 | Daytona: email bypass grants unauthorized org Owner access | 8.4 | |
| HIGH | CVE-2026-55249 | @rtk-ai/rtk-rewrite: RCE via shell injection in exec tool | openclaw | 8.8 |