Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-53812 | OpenClaw: SSRF bypasses private-network access controls | openclaw | 7.7 |
| HIGH | CVE-2026-53810 | OpenClaw: extension metadata bypass enables agent RCE | openclaw | 8.8 |
| MEDIUM | CVE-2026-53808 | OpenClaw: approval bypass enables unauthorized skill changes | OpenClaw | 6.5 |
| HIGH | CVE-2026-53819 | OpenClaw: RCE via workspace .env executable override | openclaw | 8.8 |
| HIGH | CVE-2026-53814 | OpenClaw: privilege escalation via hook-triggered MCP scope | openclaw | 8.3 |
| MEDIUM | CVE-2026-53818 | OpenClaw: MCP loopback auth bypass enables policy evasion | openclaw | 6.6 |
| MEDIUM | CVE-2024-11831 | serialize-javascript: XSS via regex in AI/ML dashboards | odh-kf-notebook-controller-rhel8 | 5.4 |
| HIGH | CVE-2026-48146 | Budibase: SSRF in OAuth2 exposes cloud credentials | @budibase/server | 7.7 |
| MEDIUM | CVE-2026-47345 | typo3/html-sanitizer: XSS bypass via namespace encoding | typo3/html-sanitizer | - |
| MEDIUM | CVE-2026-53820 | OpenClaw: exec denylist bypass via MCP session-spawn | OpenClaw | 6.6 |
| HIGH | CVE-2026-53822 | OpenClaw: TOCTOU command injection bypasses allowlist | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-53824 | OpenClaw: stale slash tokens bypass revocation controls | OpenClaw | 6.5 |
| HIGH | CVE-2026-53831 | OpenClaw: safe-bin allowlist bypass via shell expansion | OpenClaw | 8.3 |
| HIGH | CVE-2026-53829 | OpenClaw: approval truncation bypasses exec oversight | OpenClaw | 8.0 |
| HIGH | CVE-2026-53834 | OpenClaw: auth bypass in QQBot pre-dispatch commands | OpenClaw | 7.5 |
| LOW | CVE-2026-53837 | OpenClaw: DM policy bypass via Mattermost event spoofing | OpenClaw | 3.7 |
| MEDIUM | CVE-2026-54306 | n8n: webhook prototype pollution enables confused deputy | n8n | - |
| HIGH | CVE-2026-54301 | n8n: XSS via CSP bypass steals user sessions | n8n | - |
| MEDIUM | CVE-2026-54308 | n8n: unauthed webhook bypass hijacks AI agent workflows | n8n | - |
| UNKNOWN | CVE-2026-54313 | n8n: MongoDB query injection overwrites arbitrary documents | n8n | - |