AI Threat Alert
AI Agent Tool
Adversaries may target AI agent tools as a means to compromise a victim's AI supply chain. Tools add capabilities to AI agents, allowing them to interact with other services, connect to data sources, access internet resources, run system tools, and execute code. They are an attractive target for adversaries because compromising an AI agent can provide them with broad accesses and permissions on the victim's system via the agent's other tools. Poisoned agent tools (See [AI Agent Tool Poisoning](/techniques/AML.T0110)) can contain malicious code or [LLM Prompt Injection](/techniques/AML.T0051)s that manipulate the agent's behavior and even modify how other tools are called. Adversaries have successfully used a poisoned MCP server to exfiltrate private user data [\[5\]][koi]. Agent tools have exploded in popularity, with thousands of MCP servers available publicly [\[2\]][glama]. They are often released on open-source software repositories such as GitHub, indexed on hubs specific to MCP servers [\[3\]][mcp-hub][\[4\]][mcp-server-hub], and published to package registries such as NPM. AI agents can also be connected to remotely-hosted tools [\[5\]][remote-mcp]. This creates an environment where malicious tools can proliferate rapidly and safeguards are often not in place. [koi]: https://www.koi.ai/blog/postmark-mcp-npm-malicious-backdoor-email-theft "First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails" [glama]: https://glama.ai/mcp/servers "Glama" [mcp-hub]: https://www.mcphub.ai/ "MCP Hub" [mcp-server-hub]: https://mcpserverhub.com/ "MCP Server Hub" [remote-mcp]: https://mcpservers.org/remote-mcp-servers "Remote MCP Servers"
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | 10.0 | |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| CRITICAL | GHSA-vc46-vw85-3wvm | PraisonAI: RCE via malicious workflow YAML execution | PraisonAI | 9.8 |
| CRITICAL | CVE-2025-61260 | OpenAI Codex CLI: RCE via malicious MCP config files | @openai/codex | 9.8 |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| CRITICAL | CVE-2026-40154 | PraisonAI: supply chain RCE via unverified template exec | PraisonAI | 9.3 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| HIGH | CVE-2026-44334 | praisonai: RCE via unpatched tool_override exec_module | praisonai | 8.4 |
| HIGH | GHSA-g985-wjh9-qxxc | PraisonAI: untrusted tools.py import enables RCE | PraisonAI | 8.4 |
| HIGH | CVE-2026-35020 | Claude Code CLI: OS command injection via TERMINAL env | claude-code | 8.4 |
| HIGH | CVE-2025-1753 | llama-index-cli: OS command injection enables RCE | llama-index | 7.8 |
| HIGH | GHSA-r39h-4c2p-3jxp | OpenClaw: RCE via malicious repo setup-api.js | openclaw | 7.8 |
| HIGH | CVE-2026-40156 | PraisonAI: auto tools.py load enables local RCE | praisonai | 7.8 |
| HIGH | CVE-2026-39306 | PraisonAI: recipe path traversal allows arbitrary file write | PraisonAI | 7.3 |
| HIGH | CVE-2026-39308 | PraisonAI: recipe registry path traversal file write | PraisonAI | 7.1 |
| MEDIUM | CVE-2026-43901 | wireshark-mcp: path traversal enables arbitrary file write via MCP | 6.8 | |
| MEDIUM | CVE-2026-43570 | OpenClaw: symlink traversal exposes host filesystem | openclaw | 6.5 |
| MEDIUM | CVE-2026-25475 | OpenClaw: path traversal enables arbitrary file read | openclaw | 6.5 |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| MEDIUM | CVE-2026-35651 | OpenClaw: ANSI injection spoof AI agent approval prompts | openclaw | 4.3 |
| MEDIUM | GHSA-cmfr-9m2r-xwhq | OpenClaw: auth bypass enables persistent browser profile mutation | openclaw | — |
| CRITICAL | CVE-2026-35615 | PraisonAI: path traversal exposes full filesystem via agent tools | PraisonAI | — |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | — |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | — | |
| LOW | GHSA-gj9q-8w99-mp8j | openclaw: TOCTOU race bypasses exec script preflight | openclaw | — |
| LOW | CVE-2026-44220 | ciguard: symlink traversal exposes secrets via MCP agent | — | |
| MEDIUM | GHSA-5h3g-6xhh-rg6p | openclaw: TOCTOU race allows out-of-sandbox file read | openclaw | — |
| HIGH | GHSA-wppj-c6mr-83jj | openclaw: TOCTOU sandbox escape via symlink swap | openclaw | — |
| MEDIUM | GHSA-x3h8-jrgh-p8jx | OpenClaw: exec allowlist bypass allows hidden shell code | openclaw | — |
| MEDIUM | GHSA-2hh7-c75g-qj2r | openclaw: SSRF bypass via Zalo plugin photo URLs | openclaw | — |
| UNKNOWN | CVE-2026-42229 | n8n: SQL injection in SeaTable node leaks restricted rows | n8n | — |
| UNKNOWN | CVE-2026-42233 | n8n: SQL injection in Oracle node allows data exfiltration | n8n | — |
| UNKNOWN | CVE-2026-42237 | n8n: SQL injection in Snowflake/MySQL nodes bypasses fix | n8n | — |
| MEDIUM | GHSA-qrp5-gfw2-gxv4 | openclaw: tool policy bypass via bundled MCP/LSP tools | openclaw | — |
| MEDIUM | GHSA-mj59-h3q9-ghfh | openclaw: env var injection via MCP stdio config | openclaw | — |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | — |
| MEDIUM | GHSA-q2gc-xjqw-qp89 | OpenClaw: eval approval bypass enables unintended code exec | openclaw | — |
| MEDIUM | CVE-2026-34425 | OpenClaw: script preflight bypass enables unsafe exec | openclaw | — |
| MEDIUM | GHSA-fh32-73r9-rgh5 | OpenClaw: CDP host bypass exposes localhost browser state | openclaw | — |
| MEDIUM | GHSA-w6wx-jq6j-6mcj | openclaw: script swap bypasses pnpm dlx approval | openclaw | — |
| MEDIUM | GHSA-98ch-45wp-ch47 | OpenClaw: approval bypass via env key normalization gap | openclaw | — |
| MEDIUM | GHSA-2qrv-rc5x-2g2h | OpenClaw: untrusted plugin RCE via workspace channel setup | openclaw | — |
| MEDIUM | GHSA-m34q-h93w-vg5x | openclaw: path traversal enables remote dir overwrite | openclaw | — |
| MEDIUM | GHSA-wpc6-37g7-8q4w | OpenClaw: exec allowlist bypass via shell init-file options | openclaw | — |
| MEDIUM | GHSA-42mx-vp8m-j7qh | openclaw: sandbox escape via mirror mode hook execution | openclaw | — |
| HIGH | GHSA-vfw7-6rhc-6xxg | openclaw: env var injection via workspace config | openclaw | — |
| MEDIUM | GHSA-vjx8-8p7h-82gr | openclaw: SSRF in marketplace plugin download | openclaw | — |
| MEDIUM | GHSA-4g5x-2jfc-xm98 | openclaw: media download bypass exhausts disk storage | openclaw | — |
| HIGH | GHSA-7437-7hg8-frrw | OpenClaw: env var injection enables host RCE | openclaw | — |
| HIGH | GHSA-jf56-mccx-5f3f | OpenClaw: wake hook trust violation elevates to System prompt | openclaw | — |
| HIGH | GHSA-gfmx-pph7-g46x | openclaw: trust boundary bypass enables prompt injection | openclaw | — |
| MEDIUM | GHSA-ccx3-fw7q-rr2r | openclaw: base64 pre-alloc bypass causes resource exhaustion | openclaw | — |
| MEDIUM | GHSA-3vvq-q2qc-7rmp | openclaw: no integrity check on ClawHub plugin installs | openclaw | — |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | — |
| MEDIUM | GHSA-w9j9-w4cp-6wgr | openclaw: env var injection enables host exec hijacking | openclaw | — |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | — |
| LOW | GHSA-4f8g-77mw-3rxc | OpenClaw: gateway auth expands read to write privilege | openclaw | — |
| MEDIUM | GHSA-67mf-f936-ppxf | OpenClaw: scope misconfiguration enables unauthorized node pairing | openclaw | — |