Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-3fv3-6p2v-gxwj | openclaw: SSRF bypass in QQ Bot media fetch paths | openclaw | - |
| HIGH | GHSA-5wj5-87vq-39xm | openclaw: auth bypass enables exec escalation on reconnect | openclaw | - |
| MEDIUM | GHSA-cmfr-9m2r-xwhq | OpenClaw: auth bypass enables persistent browser profile mutation | openclaw | - |
| MEDIUM | GHSA-qqq7-4hxc-x63c | openclaw: local file exfiltration via trusted MEDIA refs | openclaw | - |
| LOW | GHSA-cm8v-2vh9-cxf3 | openclaw: git env var injection enables host redirect | openclaw | - |
| MEDIUM | CVE-2026-40117 | PraisonAI: arbitrary file read via unguarded skill tool | praisonaiagents | 6.2 |
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| MEDIUM | CVE-2026-35651 | OpenClaw: ANSI injection spoof AI agent approval prompts | openclaw | 4.3 |
| CRITICAL | GHSA-8x8f-54wf-vv92 | PraisonAI: auth bypass enables browser session hijack | PraisonAI | 9.1 |
| HIGH | GHSA-g985-wjh9-qxxc | PraisonAI: untrusted tools.py import enables RCE | PraisonAI | 8.4 |
| HIGH | CVE-2026-40160 | praisonaiagents: SSRF in web_crawl exposes cloud metadata | praisonaiagents | - |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| HIGH | CVE-2026-40156 | PraisonAI: auto tools.py load enables local RCE | praisonai | 7.8 |
| CRITICAL | CVE-2026-40154 | PraisonAI: supply chain RCE via unverified template exec | PraisonAI | 9.3 |
| MEDIUM | CVE-2026-40152 | praisonaiagents: glob traversal leaks filesystem metadata | praisonaiagents | 5.3 |
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| MEDIUM | CVE-2026-6011 | OpenClaw: SSRF via web-fetch enables internal network pivot | openclaw | 5.6 |
| HIGH | GHSA-75hx-xj24-mqrw | n8n-mcp: unauthenticated HTTP endpoints enable DoS + recon | n8n-mcp | 8.2 |
| MEDIUM | CVE-2026-35646 | openclaw: webhook rate-limit bypass enables token brute-force | openclaw | 4.8 |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | 7.4 |