AML.T0080

AI Agent Context Poisoning

Adversaries may attempt to manipulate the context used by an AI agent's large language model (LLM) to influence the responses it generates or actions it takes. This allows an adversary to persistently change the behavior of the target agent and further their goals. Context poisoning can be accomplished by prompting the an LLM to add instructions or preferences to memory (See [Memory](/techniques/AML.T0080.000)) or by simply prompting an LLM that uses prior messages in a thread as part of its context (See [Thread](/techniques/AML.T0080.001)).

38 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2026-2654	smolagents: SSRF allows internal network access	smolagents	9.8
CRITICAL	CVE-2026-25130	cai-framework: Command Injection enables RCE		9.7
CRITICAL	CVE-2025-67511	cai-framework: Command Injection enables RCE		9.6
CRITICAL	CVE-2026-28451	OpenClaw: SSRF via Feishu extension exposes internal services	openclaw	9.3
CRITICAL	CVE-2025-68665	langchain.js: Deserialization enables RCE	langchain.js	9.1
CRITICAL	CVE-2026-39305	PraisonAI: path traversal enables arbitrary file write/RCE	PraisonAI	9.0
HIGH	GHSA-cwj3-vqpp-pmxr	openclaw: Model bypasses authz to persist unsafe config	openclaw	8.8
HIGH	CVE-2025-66404	mcp-server-kubernetes: Command Injection enables RCE		8.8
HIGH	CVE-2025-56265	n8n: unrestricted file upload RCE via Chat Trigger	n8n	8.8
HIGH	CVE-2026-44552	open-webui: Redis cache poisoning enables cross-instance tool hijack	open-webui	8.7
HIGH	CVE-2025-68664	langchain-core: Deserialization enables RCE	langchain_core	8.2
HIGH	CVE-2026-27826	mcp-atlassian: SSRF allows internal network access	mcp-atlassian	8.2
HIGH	CVE-2025-30358	Mesop: class pollution enables DoS and LLM jailbreak		8.1
HIGH	CVE-2026-27001	OpenClaw: prompt injection via unsanitized workspace path	openclaw	7.8
HIGH	CVE-2026-28788	Open WebUI: BOLA enables RAG poisoning via file overwrite	open-webui	7.1
HIGH	GHSA-6r77-hqx7-7vw8	FlowiseAI: SSRF via prompt injection in API Chain	flowise-components	7.1
MEDIUM	CVE-2026-21894	n8n: security flaw enables exploitation	n8n	6.5
MEDIUM	CVE-2026-27578	n8n: XSS enables session hijacking	n8n	5.4
MEDIUM	CVE-2025-11844	smolagents: security flaw enables exploitation	smolagents	5.4
MEDIUM	GHSA-3c7f-5hgj-h279	n8n: Stored XSS in Chat Trigger via CSS injection	n8n	5.4
MEDIUM	CVE-2026-40112	PraisonAI: XSS via no-op HTML sanitizer in agent output	praisonai	5.4
MEDIUM	CVE-2026-44564	open-webui: auth bypass in collaborative doc editing	open-webui	5.4
MEDIUM	CVE-2026-41358	OpenClaw: sender allowlist bypass via Slack thread context	openclaw	5.4
LOW	CVE-2026-24764	OpenClaw: indirect prompt injection via Slack metadata	openclaw	3.7
MEDIUM	GHSA-w8g9-x8gx-crmm	OpenClaw: SSRF bypass via Playwright redirect handling	openclaw	—
MEDIUM	GHSA-3fv3-6p2v-gxwj	openclaw: SSRF bypass in QQ Bot media fetch paths	openclaw	—
MEDIUM	GHSA-qqq7-4hxc-x63c	openclaw: local file exfiltration via trusted MEDIA refs	openclaw	—
LOW	GHSA-57r2-h2wj-g887	openclaw: trust-label bypass amplifies prompt injection	openclaw	—
HIGH	CVE-2026-40160	praisonaiagents: SSRF in web_crawl exposes cloud metadata	praisonaiagents	—
UNKNOWN	CVE-2025-55012	Zed Agent Panel: AI agent RCE via permissions bypass		—
MEDIUM	GHSA-hxvm-xjvf-93f3	openclaw: env namespace injection steers agent runtime	openclaw	—
UNKNOWN	CVE-2025-59532	OpenAI Codex CLI: sandbox escape via model-generated cwd		—
HIGH	CVE-2025-64439	langgraph-checkpoint: Deserialization enables RCE	langgraph-checkpoint	—
HIGH	CVE-2026-39861	Claude Code: sandbox escape via symlink allows arbitrary write	@anthropic-ai/claude-code	—
UNKNOWN	CVE-2026-42228	n8n: WebSocket auth bypass hijacks AI agent workflows	n8n	—
MEDIUM	GHSA-4p4f-fc8q-84m3	openclaw: iOS bridge bypass enables unauthorized agent runs	openclaw	—
HIGH	GHSA-gfmx-pph7-g46x	openclaw: trust boundary bypass enables prompt injection	openclaw	—
HIGH	GHSA-jf56-mccx-5f3f	OpenClaw: wake hook trust violation elevates to System prompt	openclaw	—