AI Threat Alert
Thread
Adversaries may introduce malicious instructions into a chat thread of a large language model (LLM) to cause behavior changes which persist for the remainder of the thread. A chat thread may continue for an extended period over multiple sessions. The malicious instructions may be introduced via Direct or Indirect Prompt Injection. Direct Injection may occur in cases where the adversary has acquired a user's LLM API keys and can inject queries directly into any thread. As the token limits for LLMs rise, AI systems can make use of larger context windows which allow malicious instructions to persist longer in a thread. Thread Poisoning may affect multiple users if the LLM is being used in a service with shared threads. For example, if an agent is active in a Slack channel with multiple participants, a single malicious message from one user can influence the agent's behavior in future interactions with others.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-46059 | LangChain GmailToolkit: indirect prompt injection to RCE | 9.8 | |
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| HIGH | CVE-2026-25580 | pydantic-ai: SSRF allows internal network access | pydantic-ai-slim | 8.6 |
| HIGH | CVE-2026-44843 | LangChain: deserialization poisons LLM chat history | langchain-core | 8.2 |
| HIGH | CVE-2024-7053 | open-webui: XSS enables admin session hijack via chat | open-webui | 7.6 |
| MEDIUM | CVE-2026-41358 | OpenClaw: sender allowlist bypass via Slack thread context | openclaw | 5.4 |
| MEDIUM | CVE-2025-68492 | chainlit: IDOR enables unauthorized data access | chainlit | 4.2 |
| LOW | GHSA-57r2-h2wj-g887 | openclaw: trust-label bypass amplifies prompt injection | openclaw | — |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | — | |
| UNKNOWN | CVE-2024-48919 | Cursor IDE: prompt injection triggers terminal RCE | — | |
| HIGH | GHSA-gfmx-pph7-g46x | openclaw: trust boundary bypass enables prompt injection | openclaw | — |
| HIGH | CVE-2026-44504 | Aegra: cross-tenant IDOR hijacks user thread data | aegra-api | — |
| UNKNOWN | CVE-2026-42228 | n8n: WebSocket auth bypass hijacks AI agent workflows | n8n | — |
| UNKNOWN | CVE-2026-25083 | GROWI: Missing Auth allows unauthorized operations | — |