AI Threat Alert
ATLAS Landscape
AML.T0011.002
Poisoned AI Agent Tool
A victim may invoke a poisoned tool when interacting with their AI agent. A poisoned tool may execute an [LLM Prompt Injection](/techniques/AML.T0051) or perform [AI Agent Tool Invocation](/techniques/AML.T0053). Poisoned AI agent tools may be introduced into the victim's environment via [AI Software](/techniques/AML.T0010.001), or the user may configure their agent to connect to remote tools.
13 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| CRITICAL | CVE-2025-67511 | cai-framework: Command Injection enables RCE | 9.6 | |
| CRITICAL | CVE-2026-40154 | PraisonAI: supply chain RCE via unverified template exec | PraisonAI | 9.3 |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| HIGH | GHSA-g985-wjh9-qxxc | PraisonAI: untrusted tools.py import enables RCE | PraisonAI | 8.4 |
| HIGH | CVE-2026-35394 | mobile-mcp: intent injection enables device control via AI agent | 8.3 | |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | 8.1 | |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| MEDIUM | CVE-2025-54558 | OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse | 4.1 | |
| UNKNOWN | CVE-2025-55012 | Zed Agent Panel: AI agent RCE via permissions bypass | — | |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | — |
| MEDIUM | GHSA-2qrv-rc5x-2g2h | OpenClaw: untrusted plugin RCE via workspace channel setup | openclaw | — |
| MEDIUM | GHSA-ccx3-fw7q-rr2r | openclaw: base64 pre-alloc bypass causes resource exhaustion | openclaw | — |