Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-28449 | OpenClaw: webhook replay triggers duplicate agent actions | OpenClaw | 6.5 |
| HIGH | CVE-2026-31989 | OpenClaw: SSRF in citation redirect exposes internal network | OpenClaw | 7.4 |
| MEDIUM | CVE-2026-29607 | OpenClaw: auth bypass enables unapproved RCE via wrapper | OpenClaw | 6.8 |
| MEDIUM | CVE-2026-29608 | OpenClaw: argv rewrite bypasses approval, enables RCE | OpenClaw | 6.7 |
| MEDIUM | CVE-2026-31995 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 5.3 |
| HIGH | CVE-2026-32000 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31993 | OpenClaw: exec approval bypass allows RCE on macOS | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-31997 | OpenClaw: post-approval PATH rebind enables arbitrary RCE | OpenClaw | 6.0 |
| HIGH | CVE-2026-31998 | OpenClaw: auth bypass enables unauthorized agent dispatch | OpenClaw | 8.6 |
| MEDIUM | CVE-2026-31996 | OpenClaw: safeBins bypass allows file read/write | OpenClaw | 4.4 |
| MEDIUM | CVE-2026-32004 | OpenClaw: auth bypass exposes protected channel API | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32008 | OpenClaw: file:// bypass enables local file exfiltration | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32002 | OpenClaw: sandbox bypass exfiltrates files via vision API | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-32003 | OpenClaw: env var injection enables RCE via allowlist bypass | OpenClaw | 6.6 |
| MEDIUM | CVE-2026-32007 | OpenClaw: path traversal enables sandbox file escape | OpenClaw | 6.8 |
| HIGH | CVE-2026-32015 | OpenClaw: PATH hijack bypasses exec allowlist controls | OpenClaw | 7.8 |
| HIGH | CVE-2026-32013 | OpenClaw: symlink traversal enables host file read/write | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-32009 | OpenClaw: binary hijacking via safeBins path bypass | OpenClaw | 5.7 |
| HIGH | CVE-2026-32017 | OpenClaw: allowlist bypass enables arbitrary file write | OpenClaw | 7.1 |
| HIGH | CVE-2026-32019 | OpenClaw: SSRF bypass via incomplete IPv4 range validation | OpenClaw | 7.4 |