AI Threat Alert
ATLAS Landscape
AML.T0053
AI Agent Tool Invocation
Adversaries may use their access to an AI agent to invoke tools the agent has access to. LLMs are often connected to other services or resources via tools to increase their capabilities. Tools may include integrations with other applications, access to public or private data sources, and the ability to execute code. This may allow adversaries to execute API calls to integrated applications or services, providing the adversary with increased privileges on the system. Adversaries may take advantage of connected data sources to retrieve sensitive information. They may also use an LLM integrated with a command or script interpreter to execute arbitrary instructions. AI agents may be configured to have access to tools that are not directly accessible by users. Adversaries may abuse this to gain access to tools they otherwise wouldn't be able to use.
279 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-59528 | Flowise: Unauthenticated RCE via MCP config injection | flowise | 10.0 |
| CRITICAL | CVE-2026-34938 | praisonaiagents: sandbox bypass enables full host RCE | praisonaiagents | 10.0 |
| CRITICAL | CVE-2026-33663 | n8n: member role steals plaintext HTTP credentials | n8n | 10.0 |
| CRITICAL | CVE-2026-39888 | praisonaiagents: sandbox escape enables host RCE | praisonaiagents | 10.0 |
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| CRITICAL | CVE-2025-2828 | LangChain RequestsToolkit: SSRF exposes cloud metadata | langchain | 10.0 |
| CRITICAL | CVE-2025-5120 | smolagents: sandbox escape enables unauthenticated RCE | smolagents | 10.0 |
| CRITICAL | CVE-2026-26030 | semantic-kernel: Code Injection enables RCE | semantic-kernel | 10.0 |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | 10.0 | |
| CRITICAL | CVE-2026-0863 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-25115 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2026-1470 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27495 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2025-68668 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2026-21877 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27577 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-25052 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| CRITICAL | CVE-2026-25049 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| CRITICAL | CVE-2026-25592 | semantic-kernel: Path Traversal enables file access | semantic-kernel | 9.9 |
| CRITICAL | CVE-2026-25053 | n8n: Command Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27494 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | GHSA-vc46-vw85-3wvm | PraisonAI: RCE via malicious workflow YAML execution | PraisonAI | 9.8 |
| CRITICAL | CVE-2026-41264 | Flowise: prompt injection → unsandboxed RCE via CSV Agent | flowise-components | 9.8 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| CRITICAL | CVE-2026-41265 | Flowise: RCE via prompt injection in Airtable Agent | flowise | 9.8 |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| CRITICAL | CVE-2026-41267 | Flowise: mass assignment auth bypass in registration | flowise | 9.8 |
| CRITICAL | CVE-2025-46059 | LangChain GmailToolkit: indirect prompt injection to RCE | 9.8 | |
| CRITICAL | CVE-2024-42835 | Langflow: Unauthenticated RCE via PythonCodeTool | langflow | 9.8 |
| CRITICAL | CVE-2024-8309 | LangChain GraphCypher: prompt injection enables DB wipe | langchain | 9.8 |
| CRITICAL | CVE-2024-7042 | LangChainJS: prompt injection enables full graph DB takeover | langchain | 9.8 |
| CRITICAL | CVE-2024-12366 | PandasAI: prompt injection enables unauthenticated RCE | 9.8 | |
| CRITICAL | CVE-2024-27444 | LangChain Experimental: RCE via Python sandbox escape | langchain-experimental | 9.8 |
| CRITICAL | CVE-2024-23751 | LlamaIndex: SQL injection in Text-to-SQL feature | llamaindex | 9.8 |
| CRITICAL | CVE-2023-32785 | LangChain: prompt injection → SQL RCE (CVSS 9.8) | langchain | 9.8 |
| CRITICAL | CVE-2023-39631 | LangChain: RCE via numexpr evaluate injection | langchain | 9.8 |
| CRITICAL | CVE-2023-39659 | LangChain: RCE via unsanitized PythonAstREPL input | langchain | 9.8 |
| CRITICAL | CVE-2023-38860 | LangChain: RCE via unsanitized prompt parameter | langchain | 9.8 |
| CRITICAL | CVE-2023-36095 | LangChain PALChain: RCE via unsanitized exec() calls | langchain | 9.8 |
| CRITICAL | CVE-2023-36188 | LangChain: RCE via PALChain unsanitized Python exec | langchain | 9.8 |
| CRITICAL | CVE-2023-36258 | LangChain: unauthenticated RCE via code injection | langchain | 9.8 |
| CRITICAL | CVE-2023-34540 | LangChain: RCE via JiraAPIWrapper crafted input | langchain | 9.8 |
| CRITICAL | CVE-2023-29374 | LangChain: RCE via prompt injection in LLMMathChain | langchain | 9.8 |
| CRITICAL | CVE-2026-27966 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-30741 | OpenClaw: RCE via request-side prompt injection | openclaw | 9.8 |
| CRITICAL | CVE-2026-30824 | Flowise: auth bypass exposes NVIDIA NIM container endpoints | flowise | 9.8 |
| CRITICAL | CVE-2025-58434 | Flowise: auth bypass in reset flow allows full ATO | flowise | 9.8 |
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| CRITICAL | GHSA-2763-cj5r-c79m | PraisonAI: RCE via shell injection in agent workflows | PraisonAI | 9.7 |
| CRITICAL | CVE-2026-44211 | cline: WebSocket auth bypass enables terminal RCE | 9.6 | |
| CRITICAL | CVE-2025-67511 | cai-framework: Command Injection enables RCE | 9.6 | |
| CRITICAL | CVE-2025-47241 | browser-use: URL allowlist bypass enables SSRF in agents | browser-use | 9.3 |
| CRITICAL | CVE-2026-28451 | OpenClaw: SSRF via Feishu extension exposes internal services | openclaw | 9.3 |
| CRITICAL | CVE-2026-44007 | vm2: sandbox escape via nesting:true enables RCE | vm2 | 9.1 |
| CRITICAL | CVE-2025-68665 | langchain.js: Deserialization enables RCE | langchain.js | 9.1 |
| CRITICAL | CVE-2026-27825 | mcp-atlassian: Path Traversal enables file access | mcp-atlassian | 9.1 |
| CRITICAL | CVE-2024-7774 | LangChain.js: path traversal, arbitrary file read/write | langchain.js | 9.1 |
| CRITICAL | GHSA-8x8f-54wf-vv92 | PraisonAI: auth bypass enables browser session hijack | PraisonAI | 9.1 |
| CRITICAL | CVE-2026-27493 | n8n: Code Injection enables RCE | n8n | 9.0 |
| CRITICAL | CVE-2026-39305 | PraisonAI: path traversal enables arbitrary file write/RCE | PraisonAI | 9.0 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| HIGH | GHSA-cwj3-vqpp-pmxr | openclaw: Model bypasses authz to persist unsafe config | openclaw | 8.8 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-41137 | Flowise: RCE via CSVAgent unsanitized code injection | flowise | 8.8 |
| HIGH | CVE-2026-30820 | Flowise: header spoof auth bypass exposes admin API & creds | flowise | 8.8 |
| HIGH | CVE-2026-25056 | n8n: Arbitrary File Upload enables RCE | n8n | 8.8 |
| HIGH | CVE-2026-24780 | agpt: Code Injection enables RCE | 8.8 | |
| HIGH | CVE-2026-27497 | n8n: SQL Injection exposes database | n8n | 8.8 |
| HIGH | CVE-2024-7297 | Langflow: mass assignment grants super admin access | langflow | 8.8 |
| HIGH | CVE-2026-31829 | Flowise: SSRF via HTTP Node exposes internal network | flowise-components | 8.8 |
| HIGH | CVE-2026-39891 | praisonai: SSTI enables RCE via agent instructions | praisonai | 8.8 |
| HIGH | CVE-2026-33713 | n8n: SQLi in Data Table node, full DB compromise | n8n | 8.8 |
| HIGH | CVE-2025-68613 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| HIGH | CVE-2025-65964 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-34291 | langflow: security flaw enables exploitation | langflow | 8.8 |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| HIGH | CVE-2025-56265 | n8n: unrestricted file upload RCE via Chat Trigger | n8n | 8.8 |
| HIGH | CVE-2025-57760 | Langflow: privilege escalation to full superuser via CLI | langflow | 8.8 |
| HIGH | CVE-2025-9141 | vLLM: RCE via eval() in Qwen3 Coder tool parser | vllm | 8.8 |
| HIGH | GHSA-qwgj-rrpj-75xm | PraisonAI: hardcoded approval bypass enables RCE | PraisonAI | 8.8 |
| HIGH | CVE-2026-41138 | Flowise: RCE via unsanitized input in AirtableAgent | flowise | 8.8 |
| HIGH | CVE-2025-62726 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2024-3571 | LangChain: path traversal allows arbitrary file R/W | langchain | 8.8 |
| HIGH | CVE-2026-34955 | PraisonAI: sandbox escape via shell=True blocklist bypass | praisonai | 8.8 |
| HIGH | CVE-2023-27563 | n8n: privilege escalation exposes full workflow admin | n8n | 8.8 |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | CVE-2026-25580 | pydantic-ai: SSRF allows internal network access | pydantic-ai-slim | 8.6 |
| HIGH | CVE-2026-42079 | PPTAgent: eval injection enables RCE via LLM prompt injection | 8.6 | |
| HIGH | CVE-2026-34954 | praisonaiagents: SSRF leaks cloud IAM credentials | praisonaiagents | 8.6 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| HIGH | CVE-2026-40158 | PraisonAI: AST sandbox bypass enables host RCE | PraisonAI | 8.6 |
| HIGH | GHSA-4ggg-h7ph-26qr | n8n-mcp: authenticated SSRF leaks cloud metadata | n8n-mcp | 8.5 |
| HIGH | CVE-2026-39974 | n8n-MCP: SSRF exposes cloud metadata via MCP headers | 8.5 | |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |
| HIGH | CVE-2026-35020 | Claude Code CLI: OS command injection via TERMINAL env | claude-code | 8.4 |
| HIGH | CVE-2026-44334 | praisonai: RCE via unpatched tool_override exec_module | praisonai | 8.4 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| HIGH | GHSA-f228-chmx-v6j6 | Flowise: prompt injection RCE via AirtableAgent | flowise-components | 8.3 |
| HIGH | CVE-2026-35394 | mobile-mcp: intent injection enables device control via AI agent | 8.3 | |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2026-41271 | Flowise: SSRF via prompt template injection in API Chain | flowise | 8.3 |
| HIGH | CVE-2026-33665 | n8n: LDAP email match enables permanent account takeover | n8n | 8.2 |
| HIGH | GHSA-75hx-xj24-mqrw | n8n-mcp: unauthenticated HTTP endpoints enable DoS + recon | n8n-mcp | 8.2 |
| HIGH | CVE-2026-27826 | mcp-atlassian: SSRF allows internal network access | mcp-atlassian | 8.2 |
| HIGH | CVE-2025-68664 | langchain-core: Deserialization enables RCE | langchain_core | 8.2 |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | 8.1 | |
| HIGH | CVE-2026-25055 | n8n: Path Traversal enables file access | n8n | 8.1 |
| HIGH | GHSA-x462-jjpc-q4q4 | praisonaiagents: CORS bypass enables silent agent RCE | praisonaiagents | 8.1 |
| HIGH | CVE-2026-40149 | PraisonAI: auth bypass disables agent safety controls | PraisonAI | 7.9 |
| HIGH | CVE-2026-34937 | PraisonAI: OS command injection via run_python() shell escape | praisonaiagents | 7.8 |
| HIGH | CVE-2024-38459 | LangChain: Python REPL code execution without opt-in | langchain-experimental | 7.8 |
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| HIGH | CVE-2026-27001 | OpenClaw: prompt injection via unsanitized workspace path | openclaw | 7.8 |
| HIGH | CVE-2024-3095 | LangChain: SSRF in Web Retriever exposes cloud metadata | langchain | 7.7 |
| HIGH | GHSA-hr5v-j9h9-xjhg | OpenClaw: sandbox escape via mediaUrl path traversal | openclaw | 7.7 |
| HIGH | CVE-2025-61917 | n8n: Info Disclosure leaks sensitive data | n8n | 7.7 |
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| HIGH | GHSA-cvrr-qhgw-2mm6 | Flowise: unauthenticated RCE via FILE-STORAGE bypass | flowise-components | 7.7 |
| HIGH | CVE-2026-26321 | OpenClaw: path traversal enables local file exfiltration | openclaw | 7.5 |
| HIGH | CVE-2023-36189 | LangChain SQLDatabaseChain: SQL injection, DB exfil | langchain | 7.5 |
| HIGH | CVE-2024-58339 | llamaindex: Resource Exhaustion enables DoS | llamaindex | 7.5 |
| HIGH | CVE-2025-59527 | Flowise: unauthenticated SSRF exposes internal network | flowise | 7.5 |
| HIGH | CVE-2023-32786 | LangChain: prompt injection triggers SSRF via URL fetch | langchain | 7.5 |
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| HIGH | CVE-2026-21893 | n8n: Input Validation flaw enables exploitation | n8n | 7.2 |
| HIGH | CVE-2024-12911 | llama-index: SQLi+DoS via prompt injection in query engine | llamaindex | 7.1 |
| HIGH | GHSA-2x8m-83vc-6wv4 | Flowise: SSRF bypass exposes internal services | flowise-components | 7.1 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |
| HIGH | GHSA-6r77-hqx7-7vw8 | FlowiseAI: SSRF via prompt injection in API Chain | flowise-components | 7.1 |
| HIGH | GHSA-xhmj-rg95-44hv | Flowise: SSRF bypass exposes cloud IAM credentials | flowise-components | 7.1 |
| MEDIUM | CVE-2026-43901 | wireshark-mcp: path traversal enables arbitrary file write via MCP | 6.8 | |
| MEDIUM | CVE-2026-26972 | OpenClaw: path traversal allows arbitrary file write | openclaw | 6.7 |
| MEDIUM | CVE-2026-41481 | LangChain: SSRF redirect bypass exposes internal endpoints | langchain | 6.5 |
| MEDIUM | CVE-2026-25475 | OpenClaw: path traversal enables arbitrary file read | openclaw | 6.5 |
| MEDIUM | CVE-2025-68477 | langflow: SSRF allows internal network access | langflow | 6.5 |
| MEDIUM | GHSA-gpx9-96j6-pp87 | agentos-taskweaver: Protection Bypass circumvents security controls | 6.5 | |
| MEDIUM | CVE-2026-26320 | OpenClaw: UI deception enables arbitrary command execution | openclaw | 6.5 |
| MEDIUM | CVE-2026-25631 | n8n: Input Validation flaw enables exploitation | n8n | 6.5 |
| MEDIUM | CVE-2026-21894 | n8n: security flaw enables exploitation | n8n | 6.5 |
| MEDIUM | CVE-2023-27562 | n8n: path traversal allows arbitrary file read | n8n | 6.5 |
| MEDIUM | CVE-2025-57749 | n8n: symlink traversal enables arbitrary file read/write | n8n | 6.5 |
| MEDIUM | CVE-2024-53526 | Composio: command injection in AI agent tool calls | 6.4 | |
| MEDIUM | CVE-2026-4963 | smolagents: code injection via incomplete sandbox fix | smolagents | 6.3 |
| MEDIUM | CVE-2026-7687 | Langflow: command injection in code parser enables RCE | langflow | 6.3 |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| MEDIUM | CVE-2026-40117 | PraisonAI: arbitrary file read via unguarded skill tool | praisonaiagents | 6.2 |
| MEDIUM | GHSA-q8ff-7ffm-m3r9 | openclaw: stale webhook secret survives credential rotation | openclaw | 6.0 |
| MEDIUM | CVE-2025-12695 | dspy: security flaw enables exploitation | 5.9 | |
| MEDIUM | CVE-2026-6011 | OpenClaw: SSRF via web-fetch enables internal network pivot | openclaw | 5.6 |
| MEDIUM | GHSA-ffp3-3562-8cv3 | PraisonAI: tool approval bypass leaks env credentials | praisonaiagents | 5.5 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| MEDIUM | GHSA-3c7f-5hgj-h279 | n8n: Stored XSS in Chat Trigger via CSS injection | n8n | 5.4 |
| MEDIUM | CVE-2026-27578 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-25054 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-25051 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2025-68697 | n8n: security flaw enables exploitation | n8n | 5.4 |
| MEDIUM | CVE-2025-61914 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2025-52478 | n8n: Stored XSS enables full account takeover | n8n | 5.4 |
| MEDIUM | CVE-2025-46343 | n8n: stored XSS enables account takeover | n8n | 5.4 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | CVE-2025-68949 | n8n: security flaw enables exploitation | n8n | 5.3 |
| MEDIUM | CVE-2026-40152 | praisonaiagents: glob traversal leaks filesystem metadata | praisonaiagents | 5.3 |
| MEDIUM | CVE-2026-33751 | n8n: LDAP injection enables auth bypass in workflows | n8n | 4.8 |
| MEDIUM | CVE-2026-35651 | OpenClaw: ANSI injection spoof AI agent approval prompts | openclaw | 4.3 |
| MEDIUM | GHSA-wg4g-395p-mqv3 | n8n-mcp: credential exposure via HTTP transport logging | n8n-mcp | 4.3 |
| MEDIUM | CVE-2026-42282 | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | 4.3 | |
| MEDIUM | CVE-2025-52554 | n8n: broken authz enables cross-user workflow termination | n8n | 4.3 |
| MEDIUM | CVE-2026-33720 | n8n: OAuth state forgery hijacks user credentials | n8n | 4.2 |
| MEDIUM | CVE-2025-54558 | OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse | 4.1 | |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| MEDIUM | CVE-2026-27795 | LangChain: SSRF allows internal network access | 4.1 | |
| LOW | CVE-2026-26013 | langchain-core: SSRF allows internal network access | langchain_core | 3.7 |
| LOW | CVE-2026-24764 | OpenClaw: indirect prompt injection via Slack metadata | openclaw | 3.7 |
| LOW | CVE-2026-41488 | langchain-openai: SSRF via DNS rebinding in image token counter | langchain | 3.1 |
| MEDIUM | GHSA-q2gc-xjqw-qp89 | OpenClaw: eval approval bypass enables unintended code exec | openclaw | — |
| MEDIUM | GHSA-h2v7-xc88-xx8c | openclaw: operator scope bypass in phone arm/disarm cmds | openclaw | — |
| CRITICAL | CVE-2026-40111 | PraisonAI: RCE via shell injection in memory hooks executor | praisonaiagents | — |
| LOW | GHSA-cm8v-2vh9-cxf3 | openclaw: git env var injection enables host redirect | openclaw | — |
| MEDIUM | GHSA-vjx8-8p7h-82gr | openclaw: SSRF in marketplace plugin download | openclaw | — |
| MEDIUM | GHSA-3q42-xmxv-9vfr | openclaw: privilege escalation to admin voice config persistence | openclaw | — |
| MEDIUM | GHSA-fwjq-xwfj-gv75 | openclaw: auth bypass exposes agent session visibility | openclaw | — |
| LOW | GHSA-767m-xrhc-fxm7 | openclaw: operator.write escalates to admin Telegram config + cron | openclaw | — |
| HIGH | CVE-2026-40160 | praisonaiagents: SSRF in web_crawl exposes cloud metadata | praisonaiagents | — |
| MEDIUM | GHSA-wpc6-37g7-8q4w | OpenClaw: exec allowlist bypass via shell init-file options | openclaw | — |
| MEDIUM | GHSA-846p-hgpv-vphc | OpenClaw: path traversal → host file exfiltration via QQ Bot | openclaw | — |
| MEDIUM | GHSA-4p4f-fc8q-84m3 | openclaw: iOS bridge bypass enables unauthorized agent runs | openclaw | — |
| MEDIUM | GHSA-98ch-45wp-ch47 | OpenClaw: approval bypass via env key normalization gap | openclaw | — |
| MEDIUM | GHSA-w6wx-jq6j-6mcj | openclaw: script swap bypasses pnpm dlx approval | openclaw | — |
| MEDIUM | GHSA-fh32-73r9-rgh5 | OpenClaw: CDP host bypass exposes localhost browser state | openclaw | — |
| MEDIUM | GHSA-rxmx-g7hr-8mx4 | OpenClaw: Zalo webhook dedup collision silently drops events | openclaw | — |
| UNKNOWN | CVE-2024-10950 | gpt_academic: RCE via unsandboxed prompt injection | gpt_academic | — |
| MEDIUM | CVE-2026-35646 | openclaw: webhook rate-limit bypass enables token brute-force | openclaw | — |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | — |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | — | |
| MEDIUM | CVE-2026-34425 | OpenClaw: script preflight bypass enables unsafe exec | openclaw | — |
| CRITICAL | CVE-2026-35615 | PraisonAI: path traversal exposes full filesystem via agent tools | PraisonAI | — |
| HIGH | GHSA-28g4-38q8-3cwc | Flowise: Cypher injection allows full Neo4j DB wipe | flowise-components | — |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | — |
| MEDIUM | CVE-2026-34451 | anthropic-ai/sdk: memory tool path traversal escape | @anthropic-ai/sdk | — |
| MEDIUM | GHSA-9q7v-8mr7-g23p | OpenClaw: SSRF in marketplace fetch hits internal AI infra | openclaw | — |
| MEDIUM | CVE-2026-34452 | Anthropic SDK: TOCTOU symlink escape in async memory tool | anthropic | — |
| UNKNOWN | CVE-2026-2275 | CrewAI: RCE via Docker fallback in CodeInterpreter | — | |
| CRITICAL | GHSA-9wc7-mj3f-74xv | Flowise CSVAgent: RCE via Python code injection | flowise-components | — |
| UNKNOWN | CVE-2026-2285 | CrewAI: arbitrary file read via JSON loader tool | — | |
| MEDIUM | GHSA-9hrv-gvrv-6gf2 | Flowise: SSRF bypass enables cloud metadata access | flowise-components | — |
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | — |
| MEDIUM | GHSA-w6v6-49gh-mc9w | Flowise: path traversal allows arbitrary file write via vector store | flowise-components | — |
| LOW | GHSA-gj9q-8w99-mp8j | openclaw: TOCTOU race bypasses exec script preflight | openclaw | — |
| UNKNOWN | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | — | |
| UNKNOWN | CVE-2026-2287 | CrewAI: Docker sandbox fallback enables RCE | — | |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | — |
| UNKNOWN | CVE-2026-33873 | Langflow: server-side RCE via LLM-generated code exec | langflow | — |
| UNKNOWN | CVE-2024-12775 | Dify: SSRF via custom tool URL enables credential theft | — | |
| HIGH | CVE-2026-44335 | praisonaiagents: SSRF via URL parser confusion bypass | praisonaiagents | — |
| LOW | CVE-2026-44220 | ciguard: symlink traversal exposes secrets via MCP agent | — | |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | — | |
| UNKNOWN | CVE-2025-55012 | Zed Agent Panel: AI agent RCE via permissions bypass | — | |
| MEDIUM | GHSA-5h3g-6xhh-rg6p | openclaw: TOCTOU race allows out-of-sandbox file read | openclaw | — |
| HIGH | GHSA-wppj-c6mr-83jj | openclaw: TOCTOU sandbox escape via symlink swap | openclaw | — |
| MEDIUM | GHSA-x3h8-jrgh-p8jx | OpenClaw: exec allowlist bypass allows hidden shell code | openclaw | — |
| HIGH | GHSA-r6xh-pqhr-v4xh | openclaw: MCP owner-context spoofing, privilege escalation | openclaw | — |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | — |
| MEDIUM | GHSA-q3jj-46pq-826r | openclaw: ACP child session security envelope bypass | openclaw | — |
| MEDIUM | GHSA-2hh7-c75g-qj2r | openclaw: SSRF bypass via Zalo plugin photo URLs | openclaw | — |
| UNKNOWN | CVE-2025-59532 | OpenAI Codex CLI: sandbox escape via model-generated cwd | — | |
| UNKNOWN | CVE-2025-66479 | Anthropic: Protection Bypass circumvents security controls | — | |
| MEDIUM | GHSA-gfg9-5357-hv4c | openclaw: path traversal exposes host files via audio embed | openclaw | — |
| MEDIUM | GHSA-c28g-vh7m-fm7v | openclaw: auth bypass in owner command enforcement | openclaw | — |
| UNKNOWN | CVE-2026-42232 | n8n: XML Node prototype pollution → RCE | n8n | — |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | — |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | — |
| UNKNOWN | CVE-2026-42234 | n8n: Python sandbox escape enables container RCE | n8n | — |
| UNKNOWN | CVE-2026-42228 | n8n: WebSocket auth bypass hijacks AI agent workflows | n8n | — |
| UNKNOWN | CVE-2026-42229 | n8n: SQL injection in SeaTable node leaks restricted rows | n8n | — |
| UNKNOWN | CVE-2026-42233 | n8n: SQL injection in Oracle node allows data exfiltration | n8n | — |
| UNKNOWN | CVE-2026-42237 | n8n: SQL injection in Snowflake/MySQL nodes bypasses fix | n8n | — |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | — |
| MEDIUM | GHSA-qrp5-gfw2-gxv4 | openclaw: tool policy bypass via bundled MCP/LSP tools | openclaw | — |
| MEDIUM | GHSA-72q8-jcmc-97wx | openclaw: DM policy bypass via Feishu card-action callbacks | openclaw | — |
| LOW | GHSA-j4c5-89f5-f3pm | openclaw: SSRF policy bypass in CDP browser profile creation | openclaw | — |
| LOW | GHSA-xrq9-jm7v-g9h7 | OpenClaw: auth bypass enables cross-device session hijack | openclaw | — |
| LOW | GHSA-c4qg-j8jg-42q5 | openclaw: SSRF in QQBot media upload bypasses validation | openclaw | — |
| MEDIUM | GHSA-2xcp-x87w-q377 | openclaw: session key auth bypass in webhook routing | openclaw | — |
| HIGH | GHSA-v4p8-mg3p-g94g | litellm: RCE via MCP test endpoints privilege bypass | litellm | — |
| UNKNOWN | CVE-2026-0769 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-41274 | Flowise: Cypher injection via GraphCypherQAChain node | flowise | — |
| HIGH | CVE-2025-64439 | langgraph-checkpoint: Deserialization enables RCE | langgraph-checkpoint | — |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | — | |
| UNKNOWN | CVE-2026-0771 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-0772 | langflow: Deserialization enables RCE | langflow | — |
| CRITICAL | CVE-2026-25481 | langroid: Code Injection enables RCE | — | |
| HIGH | CVE-2026-39861 | Claude Code: sandbox escape via symlink allows arbitrary write | @anthropic-ai/claude-code | — |
| HIGH | CVE-2025-65106 | langchain-core: security flaw enables exploitation | langchain-core | — |
| CRITICAL | GHSA-v38x-c887-992f | Flowise: prompt injection bypasses Python sandbox RCE | flowise-components | — |
| MEDIUM | GHSA-f934-5rqf-xx47 | OpenClaw: path traversal in memory_get reads arbitrary workspace files | openclaw | — |
| HIGH | GHSA-mr34-9552-qr95 | openclaw: path traversal leaks files and NTLM credentials | openclaw | — |
| CRITICAL | GHSA-xh72-v6v9-mwhc | OpenClaw: auth bypass enables unauthenticated command exec | openclaw | — |
| HIGH | GHSA-2gvc-4f3c-2855 | OpenClaw: auth bypass lets DM senders run room commands | openclaw | — |
| MEDIUM | CVE-2026-39398 | openclaw-claude-bridge: sandbox bypass exposes CLI tools | claude-code | — |
| HIGH | GHSA-xmxx-7p24-h892 | OpenClaw: stale bearer token survives SecretRef rotation | openclaw | — |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | — |
| MEDIUM | GHSA-w9j9-w4cp-6wgr | openclaw: env var injection enables host exec hijacking | openclaw | — |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | — |
| LOW | GHSA-4f8g-77mw-3rxc | OpenClaw: gateway auth expands read to write privilege | openclaw | — |
| MEDIUM | GHSA-vr5g-mmx7-h897 | OpenClaw: SSRF bypass via interaction-triggered navigation | openclaw | — |
| LOW | GHSA-5fc7-f62m-8983 | OpenClaw: local file read bypasses workspace policy | openclaw | — |
| MEDIUM | GHSA-3fv3-6p2v-gxwj | openclaw: SSRF bypass in QQ Bot media fetch paths | openclaw | — |
| HIGH | GHSA-5wj5-87vq-39xm | openclaw: auth bypass enables exec escalation on reconnect | openclaw | — |
| MEDIUM | GHSA-vc32-h5mq-453v | OpenClaw: cross-channel allowlist write bypass | openclaw | — |
| MEDIUM | GHSA-cmfr-9m2r-xwhq | OpenClaw: auth bypass enables persistent browser profile mutation | openclaw | — |
| MEDIUM | GHSA-67mf-f936-ppxf | OpenClaw: scope misconfiguration enables unauthorized node pairing | openclaw | — |
| MEDIUM | GHSA-whf9-3hcx-gq54 | OpenClaw: token rotation bypasses role approval | openclaw | — |
| MEDIUM | GHSA-qqq7-4hxc-x63c | openclaw: local file exfiltration via trusted MEDIA refs | openclaw | — |