Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-59257 | n8n: SQL injection via MySQL v1 node expressions | n8n | 8.8 |
| MEDIUM | CVE-2026-56273 | Flowise: path traversal in vector store basePath | flowise | 6.5 |
| MEDIUM | CVE-2026-59261 | OpenClaw: dotenv override leaks provider credentials | openclaw | 6.5 |
| UNKNOWN | CVE-2026-59822 | LiteLLM: MCP auth bypass via fabricated OAuth header | litellm | - |
| HIGH | CVE-2026-49471 | Serena: unauth dashboard API enables RCE via memory poisoning | serena-agent | 8.3 |
| HIGH | CVE-2026-59723 | Cline: missing Origin check on Hub enables RCE | cline | 8.8 |
| HIGH | GHSA-52vm-mxx8-f227 | Phantom MCP: unconfined output path enables file write | 7.7 | |
| MEDIUM | CVE-2026-48737 | pyload-ng: IPv6 SSRF bypass evades internal-IP guard | pyload-ng | 4.9 |
| MEDIUM | CVE-2026-59207 | n8n: MCP tool bypasses credential domain allowlist | n8n | 6.5 |
| HIGH | CVE-2026-59206 | n8n: prototype pollution lets guests hit admin APIs | n8n | 7.1 |
| MEDIUM | CVE-2026-59208 | n8n: multi-issuer JWT sub collision bypasses auth | n8n | 6.8 |
| UNKNOWN | CVE-2026-59209 | n8n: editor-level access leaks credential headers | n8n | - |
| MEDIUM | CVE-2026-15193 | OpenClaw Android: command injection via WebView bridge | 5.3 | |
| HIGH | CVE-2026-59214 | Open WebUI: Pyodide sandbox bypass reaches admin RCE | open-webui | 7.3 |
| LOW | CVE-2026-59226 | Open WebUI: deactivated users retain automation access | open-webui | 3.1 |
| HIGH | CVE-2026-59216 | Open WebUI: session hijack enables cross-user code exec | open-webui | 7.7 |
| MEDIUM | CVE-2026-59222 | Open WebUI: channel IDOR leaks tool-server API keys | open-webui | - |
| MEDIUM | CVE-2026-60086 | PraisonAI: injection filter bypass at HIGH threat level | praisonai | 5.3 |
| MEDIUM | CVE-2026-56354 | n8n: stored XSS + phishing redirect in Form Node | n8n | 4.1 |
| UNKNOWN | CVE-2026-58661 | n8n: disk exhaustion via data-table upload quota gap | n8n | - |