Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | CVE-2026-32020 | OpenClaw: symlink traversal enables arbitrary file read | OpenClaw | 3.3 |
| MEDIUM | CVE-2026-32022 | OpenClaw: grep safeBins bypass enables arbitrary file read | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32033 | OpenClaw: path traversal leaks files outside workspace | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32028 | OpenClaw: auth bypass enables unauthorized agent execution | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-32026 | OpenClaw: sandbox path traversal leaks host temp files | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32031 | OpenClaw: auth bypass in plugin channel gateway | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-32039 | OpenClaw: auth bypass grants privileged tool access | OpenClaw | 5.9 |
| MEDIUM | CVE-2026-32036 | OpenClaw: auth bypass via encoded path traversal in gateway | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32044 | OpenClaw: archive safety bypass causes DoS in skill install | OpenClaw | 5.5 |
| MEDIUM | CVE-2026-32046 | OpenClaw: sandbox bypass enables host code execution | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-32052 | OpenClaw: command injection via shell-wrapper argv bypass | OpenClaw | 6.4 |
| HIGH | CVE-2026-32056 | OpenClaw: RCE via shell env var injection in system.run | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-32896 | OpenClaw: auth bypass via webhook passwordless fallback | OpenClaw | 4.8 |
| CRITICAL | CVE-2026-32916 | OpenClaw: auth bypass enables unauth agent execution | OpenClaw | 9.4 |
| HIGH | CVE-2026-32920 | OpenClaw: workspace plugin auto-load enables RCE | OpenClaw | 8.4 |
| MEDIUM | CVE-2026-32923 | OpenClaw: auth bypass enables Discord reaction context injection | OpenClaw | 5.4 |
| MEDIUM | CVE-2026-32921 | OpenClaw: script approval bypass allows code execution | OpenClaw | 6.3 |
| HIGH | CVE-2026-32972 | OpenClaw: auth bypass enables persistent CDP backdoor | OpenClaw | 7.1 |
| HIGH | CVE-2026-32974 | OpenClaw: auth bypass triggers forged webhook tool execution | OpenClaw | 8.6 |
| HIGH | CVE-2026-32978 | OpenClaw: script approval bypass allows RCE | OpenClaw | 8.0 |