Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-55435 | Coder AI Bridge: suspended user auth bypass | github.com/coder/coder/v2 | 5.4 |
| MEDIUM | CVE-2026-55433 | Coder: missing ActionUpdate check allows devcontainer wipe | github.com/coder/coder/v2 | 5.4 |
| MEDIUM | CVE-2026-55432 | Coder: sub-agent apps bypass org port-sharing policy | github.com/coder/coder/v2 | 5.4 |
| HIGH | CVE-2026-55431 | Coder: session token leak via workspace app URL | github.com/coder/coder/v2 | 7.7 |
| MEDIUM | CVE-2026-55430 | Coder: X-Forwarded-Host spoof leaks victim app data | github.com/coder/coder/v2 | 5.8 |
| HIGH | CVE-2026-55428 | Coder: agent IP spoofing hijacks workspace traffic | github.com/coder/coder/v2 | 8.2 |
| HIGH | CVE-2026-55429 | Coder: cross-workspace agent hijack via app ID reuse | github.com/coder/coder/v2 | 8.7 |
| MEDIUM | CVE-2026-55079 | Coder: unbounded FileSize crashes coderd via OOM | github.com/coder/coder/v2 | 4.9 |
| HIGH | CVE-2026-55427 | Coder: SSH config injection via config-ssh enables RCE | github.com/coder/coder/v2 | 8.3 |
| HIGH | CVE-2026-55077 | Coder: user-admin can hijack owner accounts | github.com/coder/coder/v2 | 7.2 |
| HIGH | CVE-2026-55075 | Coder: OIDC auth bypass enables account takeover | github.com/coder/coder/v2 | 7.4 |
| HIGH | CVE-2026-55076 | Coder: OIDC type-confusion enables account takeover | github.com/coder/coder/v2 | 7.4 |
| HIGH | CVE-2026-53518 | better-auth: race condition mints duplicate OAuth tokens | 8.1 | |
| CRITICAL | CVE-2026-59706 | mem0: unauth config API leaks API keys + SSRF | 9.3 | |
| MEDIUM | CVE-2026-56359 | n8n: XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | CVE-2026-56360 | n8n: unsigned Zendesk webhook allows workflow forgery | n8n | 4.0 |
| MEDIUM | CVE-2026-56775 | n8n: viewer role bypasses RBAC on eval test runs | n8n | 5.4 |
| HIGH | CVE-2026-56776 | n8n: workflow:read scope bypass triggers execution | n8n | 7.4 |
| MEDIUM | CVE-2026-56778 | n8n: workflow:read scope triggers executions via API | n8n | 6.4 |
| MEDIUM | CVE-2026-59253 | n8n: auth bypass moves workflows across project folders | n8n | 5.0 |