Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-xww8-gqvh-92x9 | OpenClaw: truncated approval UI masks exec payload | openclaw | 8.0 |
| MEDIUM | CVE-2026-58653 | PraisonAI: IDOR cross-tenant data pollution | praisonai | 4.3 |
| HIGH | CVE-2026-50180 | langroid: SQL blocklist bypass leaks Postgres files | langroid | - |
| HIGH | CVE-2026-50181 | Langroid: path traversal escapes sandboxed file tools | langroid | 7.1 |
| HIGH | GHSA-p73f-w79w-jqr5 | OpenClaw: owner-command auth bypass via native cmds | openclaw | - |
| HIGH | GHSA-j472-gf56-x589 | OpenClaw: PowerShell alias bypasses exec allowlist | openclaw | - |
| HIGH | GHSA-77q5-rr5v-x43q | OpenClaw: retry hostname check leaks auth material | openclaw | - |
| HIGH | GHSA-w5ww-7chg-mxcq | OpenClaw: Telegram callback bypasses sender allowlist | openclaw | - |
| MEDIUM | GHSA-4m3v-q747-pc6h | OpenClaw: slash token revocation lag allows reuse | openclaw | - |
| MEDIUM | GHSA-275c-xpvc-jgfw | OpenClaw: Slack/Zalo webhook secrets outlive rotation | openclaw | - |
| LOW | GHSA-3wqp-prf6-2m72 | OpenClaw: Feishu agent-binding auth bypass | openclaw | 3.1 |
| MEDIUM | GHSA-6c4r-g249-wv3c | OpenClaw: sandbox leaks host workspace path to child | openclaw | - |
| MEDIUM | GHSA-77pv-3w4q-vrj5 | OpenClaw: QQBot slash commands bypass allowFrom auth | openclaw | - |
| HIGH | GHSA-xr4f-mjxj-w6w5 | OpenClaw: chat auth bypass enables device pairing hijack | openclaw | 8.3 |
| MEDIUM | GHSA-hcm3-8f6r-6xwg | OpenClaw: missing authz reuses blocked SSRF tabs | openclaw | 6.5 |
| MEDIUM | GHSA-grc3-2j34-p6gm | OpenClaw: action forwarding leaks Gateway credentials | openclaw | - |
| CRITICAL | GHSA-w4v6-g3wm-w36c | OpenClaw: QQBot admin auth bypass skips access checks | openclaw | - |
| MEDIUM | GHSA-gp79-m99v-gjmh | OpenClaw: fail-open bypasses Mattermost DM channel policy | openclaw | - |
| HIGH | GHSA-qjpc-qf9m-xwmr | OpenClaw: WebSocket scope bypass grants admin authority | openclaw | 8.8 |
| HIGH | GHSA-c29c-2q9c-pc86 | OpenClaw: Slack allowFrom bypass via display-name spoof | openclaw | - |