Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-43570 | OpenClaw: symlink traversal exposes host filesystem | openclaw | 6.5 |
| MEDIUM | CVE-2026-42282 | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | 4.3 | |
| CRITICAL | CVE-2026-44336 | PraisonAI: MCP path traversal escalates to full RCE | PraisonAI | 9.6 |
| CRITICAL | CVE-2026-43995 | Flowise: SSRF in agent tools bypasses security wrapper | flowise | 9.8 |
| CRITICAL | CVE-2026-42074 | openclaude: sandbox bypass allows host-level RCE | openclaude | - |
| HIGH | CVE-2026-44246 | nnU-Net: prompt injection hijacks CI/CD triage agent | claude-code | 7.2 |
| HIGH | CVE-2026-45136 | claude-code-cache-fix: hook path injection → RCE | claude-code-cache-fix | - |
| HIGH | GHSA-m99r-2hxc-cp3q | Flowise MCP: 3-path blocklist bypass enables server RCE | flowise-components | - |
| MEDIUM | CVE-2026-44899 | mistune: CSS injection enables phishing UI overlay | mistune | 4.7 |
| CRITICAL | CVE-2026-44791 | n8n: XML node patch bypass enables host RCE | n8n | 9.9 |
| HIGH | CVE-2026-44790 | n8n: Git node arg injection enables full server compromise | n8n | 8.8 |
| CRITICAL | CVE-2026-44789 | n8n: prototype pollution in HTTP node enables RCE | n8n | 9.9 |
| HIGH | CVE-2026-45370 | utcp-cli: env leak exfiltrates all agent process secrets | utcp-cli | 7.7 |
| HIGH | CVE-2026-45350 | open-webui: missing authz allows admin tool hijacking | open-webui | 7.1 |
| CRITICAL | CVE-2026-45311 | deepseek-tui: prompt injection enables zero-approval RCE | deepseek-tui | 9.6 |
| HIGH | CVE-2026-45310 | deepseek-tui: SSRF bypass leaks cloud IAM credentials | deepseek-tui | 7.4 |
| MEDIUM | CVE-2026-45582 | n8n-mcp: telemetry leak exposes workflow URL secrets | n8n-mcp | 6.5 |
| HIGH | CVE-2026-45707 | n8n-mcp: tenant isolation bypass, operator RCE risk | n8n-mcp | 8.1 |
| MEDIUM | GHSA-2vx9-7wpg-88jq | n8n: path traversal bypasses file access restriction | n8n | 6.4 |
| HIGH | GHSA-hv85-774v-26fg | auth-fetch-mcp: SSRF + disk-exfil via unvalidated tool URLs | auth-fetch-mcp | 8.2 |