Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-cqwv-9qjx-vxw2 | OpenClaw: agent tool call bypasses skill approval gate | openclaw | 5.3 |
| HIGH | GHSA-jvm4-4j77-39p6 | OpenClaw: QQBot command bypasses config allowlist | openclaw | - |
| HIGH | GHSA-83w9-h5wv-j9xm | OpenClaw: TOCTOU race bypasses node approval scope | openclaw | - |
| MEDIUM | GHSA-wv26-j37q-2g7p | OpenClaw: exec approver can bypass plugin approval gate | openclaw | - |
| MEDIUM | GHSA-p2fh-f5fc-44hr | OpenClaw: memory-wiki ingest reads arbitrary local files | openclaw | 6.5 |
| HIGH | GHSA-hw9r-h9mr-4jff | OpenClaw: chat.send routing bypasses admin auth scopes | openclaw | 8.8 |
| HIGH | GHSA-mhq8-78pj-5j79 | OpenClaw: safe-bin bypass exposes node-local files | openclaw | 7.1 |
| HIGH | GHSA-mgq6-vr84-7m2j | OpenClaw: QQBot approval button auth bypass | openclaw | 8.0 |
| HIGH | GHSA-rggc-m335-3wvj | OpenClaw: forged identity headers bypass proxy auth | openclaw | - |
| HIGH | CVE-2025-71380 | n8n: authenticated RCE via Execute Command node | n8n | 8.8 |
| LOW | CVE-2026-14630 | AI-fundermentals: weak hash exposes chat session data | 3.1 | |
| LOW | CVE-2026-14742 | LangGraph: weak hash in task cache risks poisoning | langgraph | 3.1 |
| MEDIUM | CVE-2026-59152 | LangSmith SDK: arbitrary file read via TracingMiddleware | langsmith-sdk | 5.0 |
| MEDIUM | CVE-2026-14898 | OpenAI Codex: prompt injection exfils data via images | 6.5 | |
| UNKNOWN | CVE-2026-55615 | Langroid: unvalidated LLM Cypher enables graph RCE | langroid | - |
| HIGH | CVE-2026-54771 | Langroid: auth bypass invokes disabled tools via raw JSON | langroid | 8.1 |
| CRITICAL | CVE-2026-54769 | Langroid: prompt injection to RCE via broken eval() sandbox | langroid | 10.0 |
| UNKNOWN | CVE-2026-54760 | Langroid: SQLChatAgent regex bypass exposes pg_read_file | langroid | - |
| MEDIUM | CVE-2026-55437 | Coder: stored XSS in agent logs risks admin session | github.com/coder/coder/v2 | 5.4 |
| HIGH | CVE-2026-55436 | Coder AI Bridge Proxy: TLS bypass leaks BYOK keys | github.com/coder/coder/v2 | 7.4 |