AI Threat Alert
Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | GHSA-57r2-h2wj-g887 | openclaw: trust-label bypass amplifies prompt injection | openclaw | - |
| UNKNOWN | CVE-2026-41686 | @anthropic-ai/sdk: insecure file perms expose agent memory | @anthropic-ai/sdk | - |
| MEDIUM | GHSA-gfg9-5357-hv4c | openclaw: path traversal exposes host files via audio embed | openclaw | - |
| UNKNOWN | CVE-2026-42228 | n8n: WebSocket auth bypass hijacks AI agent workflows | n8n | - |
| MEDIUM | CVE-2026-41358 | OpenClaw: sender allowlist bypass via Slack thread context | openclaw | 5.4 |
| HIGH | CVE-2026-42079 | PPTAgent: eval injection enables RCE via LLM prompt injection | pptagent | 8.6 |
| HIGH | GHSA-cwj3-vqpp-pmxr | openclaw: Model bypasses authz to persist unsafe config | openclaw | 8.8 |
| MEDIUM | CVE-2026-42045 | LobeChat: XSS-to-RCE via exposed Electron IPC | @lobehub/lobehub | 6.2 |
| MEDIUM | CVE-2026-44222 | vLLM: token injection DoS via multimodal placeholders | vllm | 6.5 |
| MEDIUM | CVE-2026-43901 | wireshark-mcp: path traversal enables arbitrary file write via MCP | 6.8 | |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | - |
| HIGH | CVE-2026-44843 | LangChain: deserialization poisons LLM chat history | langchain-core | 8.2 |
| MEDIUM | CVE-2026-44564 | open-webui: auth bypass in collaborative doc editing | open-webui | 5.4 |
| MEDIUM | CVE-2026-44571 | open-webui: auth bypass allows message tampering | open-webui | 6.5 |
| CRITICAL | CVE-2026-44336 | PraisonAI: MCP path traversal escalates to full RCE | PraisonAI | 9.6 |
| CRITICAL | CVE-2026-42074 | openclaude: sandbox bypass allows host-level RCE | openclaude | - |
| HIGH | CVE-2026-44246 | nnU-Net: prompt injection hijacks CI/CD triage agent | claude-code | 7.2 |
| CRITICAL | CVE-2026-45311 | deepseek-tui: prompt injection enables zero-approval RCE | deepseek-tui | 9.6 |