Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-10564 | Langflow: SSRF via RSS/SearXNG exposes cloud IAM creds | langflow | 8.2 |
| CRITICAL | CVE-2026-10134 | Langflow: unauthenticated RCE via tool_code injection | langflow | 10.0 |
| MEDIUM | CVE-2026-10546 | Langflow: SSRF via DNS rebinding in URL component | langflow | 6.5 |
| CRITICAL | CVE-2026-10560 | Langflow: missing auth on build API leaks data, enables DoS | langflow | 9.1 |
| CRITICAL | CVE-2026-7663 | Langflow: auth bypass in MCP transport exposes projects | langflow | 9.8 |
| CRITICAL | CVE-2026-7803 | Langflow: malformed flow nodes enable RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-7871 | Langflow: Redis-access deserialization enables full RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-7873 | Langflow: authenticated RCE enables credential theft | langflow | 9.9 |
| CRITICAL | CVE-2026-7874 | Langflow: weak reversible KDF exposes all stored credentials | langflow | 9.1 |
| CRITICAL | CVE-2026-56278 | Flowise: hardcoded default secret enables session forgery | Flowise | 9.1 |
| UNKNOWN | CVE-2026-56277 | Flowise: wildcard CORS on TTS endpoint abuses creds | Flowise | - |
| MEDIUM | CVE-2026-56350 | n8n: authenticated users can disable SSO enforcement via API | n8n | 6.3 |
| MEDIUM | CVE-2026-56356 | n8n: stored XSS in Chat Trigger Custom CSS field | n8n | 5.4 |
| MEDIUM | CVE-2026-56777 | n8n: AST validator bypass leaks env vars in Python node | n8n | 5.0 |
| HIGH | CVE-2026-13731 | WPBot: unauthenticated stored XSS via chatbot conversation field | wpbot | 7.2 |
| HIGH | CVE-2026-49857 | auth-fetch-mcp: SSRF bypass via IPv6 loopback | auth-fetch-mcp | 7.4 |
| MEDIUM | GHSA-9c3v-684m-579c | OpenClaw: MCP SSE redirect leaks Authorization headers | openclaw | 6.5 |
| CRITICAL | CVE-2026-50027 | mcp-memory-service: auth bypass on document API | mcp-memory-service | 9.8 |
| HIGH | GHSA-2j8v-hwgc-x698 | OpenClaw: TOCTOU in shell wrapper bypasses command allowlist | Openclaw | - |
| MEDIUM | GHSA-qh2f-99mv-mrcf | OpenClaw: exec denylist bypass in bundled MCP loopback | openclaw | - |