Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-qmwg-qprg-3j38 | openclaw: CDP pivot bypasses file:// navigation guards | openclaw | - |
| HIGH | GHSA-939r-rj45-g2rj | openclaw: untrusted plugin auto-enabled during onboarding | openclaw | - |
| MEDIUM | GHSA-527m-976r-jf79 | openclaw: SSRF bypass in existing browser session routes | openclaw | - |
| MEDIUM | GHSA-rj2p-j66c-mgqh | openclaw: SSRF policy bypass in browser tab actions | openclaw | - |
| MEDIUM | GHSA-f3h5-h452-vp3j | openclaw: insufficient authz allows agent config persistence | openclaw | - |
| HIGH | GHSA-82qx-6vj7-p8m2 | openclaw: trust bypass loads untrusted workspace plugins | openclaw | - |
| MEDIUM | GHSA-jf25-7968-h2h5 | openclaw: path traversal bypasses workspace filesystem guard | openclaw | - |
| MEDIUM | GHSA-53vx-pmqw-863c | openclaw: Browser SSRF exposes internal services by default | openclaw | - |
| MEDIUM | GHSA-2767-2q9v-9326 | openclaw: QQBot SSRF leaks internal service responses | openclaw | - |
| MEDIUM | GHSA-7wv4-cc7p-jhxc | openclaw: .env injection hijacks agent runtime config | openclaw | - |
| MEDIUM | GHSA-c9h3-5p7r-mrjh | openclaw: path traversal bypasses media sandbox | openclaw | - |
| MEDIUM | GHSA-7g8c-cfr3-vqqr | openclaw: trust escalation via unsanitized agent hook events | openclaw | - |
| HIGH | GHSA-vfp4-8x56-j7c5 | openclaw: env denylist bypass enables code exec in agents | openclaw | - |
| MEDIUM | GHSA-j6c7-3h5x-99g9 | openclaw: OS command injection via shell env-argv bypass | openclaw | - |
| MEDIUM | GHSA-g2hm-779g-vm32 | openclaw: auth bypass preserves owner-level agent execution | openclaw | - |
| MEDIUM | GHSA-c4qm-58hj-j6pj | openclaw: SSRF bypass exposes internal pages in browser tool | openclaw | - |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| MEDIUM | CVE-2026-39378 | nbconvert: path traversal exfiltrates files via HTML export | nbconvert | 6.5 |
| HIGH | GHSA-2r2p-4cgf-hv7h | engramx: CSRF injects persistent prompts into AI agents | - | |
| MEDIUM | CVE-2026-41495 | n8n-mcp: bearer tokens exposed in HTTP transport logs | n8n-mcp | 5.3 |