Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| MEDIUM | CVE-2026-6393 | BetterDocs: Auth bypass drains OpenAI API quota | 4.3 | |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | - |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | - |
| MEDIUM | GHSA-qrp5-gfw2-gxv4 | openclaw: tool policy bypass via bundled MCP/LSP tools | openclaw | - |
| LOW | GHSA-c4qg-j8jg-42q5 | openclaw: SSRF in QQBot media upload bypasses validation | openclaw | - |
| MEDIUM | GHSA-mj59-h3q9-ghfh | openclaw: env var injection via MCP stdio config | openclaw | - |
| MEDIUM | GHSA-hxvm-xjvf-93f3 | openclaw: env namespace injection steers agent runtime | openclaw | - |
| MEDIUM | GHSA-72q8-jcmc-97wx | openclaw: DM policy bypass via Feishu card-action callbacks | openclaw | - |
| MEDIUM | GHSA-wg4g-395p-mqv3 | n8n-mcp: credential exposure via HTTP transport logging | n8n-mcp | 4.3 |
| MEDIUM | GHSA-gfg9-5357-hv4c | openclaw: path traversal exposes host files via audio embed | openclaw | - |
| MEDIUM | GHSA-c28g-vh7m-fm7v | openclaw: auth bypass in owner command enforcement | openclaw | - |
| UNKNOWN | CVE-2026-42232 | n8n: XML Node prototype pollution → RCE | n8n | - |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | - |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | - |
| UNKNOWN | CVE-2026-42234 | n8n: Python sandbox escape enables container RCE | n8n | - |
| UNKNOWN | CVE-2026-42228 | n8n: WebSocket auth bypass hijacks AI agent workflows | n8n | - |
| UNKNOWN | CVE-2026-42229 | n8n: SQL injection in SeaTable node leaks restricted rows | n8n | - |
| UNKNOWN | CVE-2026-42237 | n8n: SQL injection in Snowflake/MySQL nodes bypasses fix | n8n | - |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |