Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-33579 | OpenClaw: scope bypass escalates low-priv to admin | OpenClaw | 9.9 |
| MEDIUM | CVE-2026-33578 | OpenClaw: allowlist bypass exposes AI agents to all users | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-33574 | OpenClaw: TOCTOU path traversal enables arbitrary file write | OpenClaw | 6.2 |
| MEDIUM | CVE-2026-34506 | OpenClaw: auth bypass lets any Teams user invoke AI agent | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-33581 | OpenClaw: sandbox bypass enables arbitrary file read | OpenClaw | 6.5 |
| HIGH | CVE-2026-34504 | OpenClaw: SSRF in fal provider exposes internal services | OpenClaw | 8.3 |
| MEDIUM | CVE-2026-35623 | OpenClaw: Brute-force auth bypass via webhook rate limit miss | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35622 | OpenClaw: auth bypass in Google Chat webhook | OpenClaw | 5.9 |
| MEDIUM | CVE-2026-35634 | OpenClaw: auth bypass grants unauthenticated Canvas access | OpenClaw | 5.1 |
| MEDIUM | CVE-2026-35631 | OpenClaw: auth bypass on ACP mutating commands | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35635 | OpenClaw: webhook route hijack bypasses DM access controls | OpenClaw | 4.8 |
| HIGH | CVE-2026-35645 | OpenClaw: privilege escalation via synthetic admin session scope | OpenClaw | 8.1 |
| HIGH | CVE-2026-35643 | OpenClaw: WebView bridge injection enables Android RCE | OpenClaw | 8.8 |
| HIGH | CVE-2026-35641 | OpenClaw: RCE via .npmrc override in plugin install | OpenClaw | 7.8 |
| MEDIUM | CVE-2026-35654 | OpenClaw: auth bypass on Teams feedback invoke | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35649 | OpenClaw: access control bypass via allowlist reconciliation | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35658 | OpenClaw: sandbox bypass exposes host filesystem reads | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35655 | OpenClaw: identity spoofing bypasses agent safety checks | OpenClaw | 5.7 |
| HIGH | CVE-2026-35669 | OpenClaw: privilege escalation via plugin scope bypass | OpenClaw | 8.8 |
| HIGH | CVE-2026-35666 | OpenClaw: allowlist bypass enables arbitrary command exec | OpenClaw | 8.8 |