AI Threat Alert
ATLAS Landscape
AML.T0081
Modify AI Agent Configuration
Adversaries may modify the configuration files for AI agents on a system. This allows malicious changes to persist beyond the life of a single agent and affects any agents that share the configuration. Configuration changes may include modifications to the system prompt, tampering with or replacing knowledge sources, modification to settings of connected tools, and more. Through those changes, an attacker could redirect outputs or tools to malicious services, embed covert instructions that exfiltrate data, or weaken security controls that normally restrict agent behavior. Adversaries may modify or disable a configuration setting related to security controls, such as those that would prevent the AI Agent from taking actions that may be harmful to the user's system without human-in-the-loop oversight. Disabling AI agent security features may allow adversaries to achieve their malicious goals and maintain long-term corruption of the AI agent.
95 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | 10.0 | |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| CRITICAL | CVE-2026-25049 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-33309 | langflow: Path Traversal enables file access | langflow | 9.9 |
| CRITICAL | CVE-2026-27577 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27495 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-21877 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-1470 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27494 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-27966 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2025-61260 | OpenAI Codex CLI: RCE via malicious MCP config files | @openai/codex | 9.8 |
| CRITICAL | CVE-2026-41276 | Flowise: auth bypass enables full account takeover via reset | flowise | 9.8 |
| CRITICAL | CVE-2026-41268 | Flowise: unauthenticated RCE via NODE_OPTIONS env injection | flowise | 9.8 |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| CRITICAL | CVE-2026-39890 | PraisonAI: YAML deserialization enables unauthenticated RCE | praisonai | 9.8 |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| CRITICAL | GHSA-2763-cj5r-c79m | PraisonAI: RCE via shell injection in agent workflows | PraisonAI | 9.7 |
| CRITICAL | CVE-2026-27493 | n8n: Code Injection enables RCE | n8n | 9.0 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-27497 | n8n: SQL Injection exposes database | n8n | 8.8 |
| HIGH | CVE-2025-68613 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2023-27563 | n8n: privilege escalation exposes full workflow admin | n8n | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| HIGH | CVE-2026-25056 | n8n: Arbitrary File Upload enables RCE | n8n | 8.8 |
| HIGH | CVE-2025-56265 | n8n: unrestricted file upload RCE via Chat Trigger | n8n | 8.8 |
| HIGH | GHSA-cwj3-vqpp-pmxr | openclaw: Model bypasses authz to persist unsafe config | openclaw | 8.8 |
| HIGH | CVE-2025-65964 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2026-41277 | Flowise: mass assignment enables cross-workspace IDOR | flowise | 8.8 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| HIGH | CVE-2026-40113 | PraisonAI: arg injection injects env vars into Cloud Run | praisonai | 8.4 |
| HIGH | CVE-2026-33665 | n8n: LDAP email match enables permanent account takeover | n8n | 8.2 |
| HIGH | CVE-2026-25055 | n8n: Path Traversal enables file access | n8n | 8.1 |
| HIGH | CVE-2024-7806 | Open-WebUI: CSRF enables RCE via pipeline code injection | open-webui | 8.0 |
| HIGH | CVE-2026-40149 | PraisonAI: auth bypass disables agent safety controls | PraisonAI | 7.9 |
| HIGH | GHSA-cvrr-qhgw-2mm6 | Flowise: unauthenticated RCE via FILE-STORAGE bypass | flowise-components | 7.7 |
| HIGH | CVE-2026-21852 | claude_code: Weak Credentials allow account compromise | claude_code | 7.5 |
| HIGH | CVE-2026-33724 | n8n: SSH MitM enables malicious workflow injection | n8n | 7.4 |
| HIGH | CVE-2025-30167 | jupyter_core: config hijack enables cross-user code exec | 7.3 | |
| HIGH | CVE-2026-21893 | n8n: Input Validation flaw enables exploitation | n8n | 7.2 |
| HIGH | CVE-2025-5018 | Hive Support WP: OpenAI key theft + prompt hijack | 7.1 | |
| HIGH | GHSA-rh7v-6w34-w2rr | Flowise: MIME bypass enables persistent Node.js web shell RCE | flowise | 7.1 |
| HIGH | CVE-2025-68478 | langflow: File Control enables path manipulation | langflow | 7.1 |
| MEDIUM | CVE-2026-26972 | OpenClaw: path traversal allows arbitrary file write | openclaw | 6.7 |
| MEDIUM | CVE-2026-4502 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| MEDIUM | CVE-2025-46343 | n8n: stored XSS enables account takeover | n8n | 5.4 |
| MEDIUM | CVE-2025-61914 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | CVE-2026-25054 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-25051 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-27578 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2024-4858 | WP Testimonial Carousel: OpenAI API key hijack, no auth | 5.3 | |
| MEDIUM | CVE-2025-54558 | OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse | 4.1 | |
| CRITICAL | GHSA-xh72-v6v9-mwhc | OpenClaw: auth bypass enables unauthenticated command exec | openclaw | — |
| UNKNOWN | CVE-2025-55012 | Zed Agent Panel: AI agent RCE via permissions bypass | — | |
| UNKNOWN | CVE-2026-34046 | Langflow: IDOR exposes flows and plaintext API keys | langflow | — |
| MEDIUM | CVE-2026-34450 | anthropic-sdk: insecure file perms expose agent memory | anthropic | — |
| UNKNOWN | CVE-2026-35029 | LiteLLM: auth bypass allows RCE and full takeover | litellm | — |
| UNKNOWN | CVE-2026-30823 | Flowise: IDOR enables account takeover and SSO bypass | flowise | — |
| UNKNOWN | CVE-2026-30822 | Flowise: mass assignment allows unauthenticated DB injection | flowise | — |
| MEDIUM | GHSA-98ch-45wp-ch47 | OpenClaw: approval bypass via env key normalization gap | openclaw | — |
| MEDIUM | GHSA-2qrv-rc5x-2g2h | OpenClaw: untrusted plugin RCE via workspace channel setup | openclaw | — |
| MEDIUM | GHSA-m34q-h93w-vg5x | openclaw: path traversal enables remote dir overwrite | openclaw | — |
| MEDIUM | GHSA-42mx-vp8m-j7qh | openclaw: sandbox escape via mirror mode hook execution | openclaw | — |
| LOW | GHSA-767m-xrhc-fxm7 | openclaw: operator.write escalates to admin Telegram config + cron | openclaw | — |
| MEDIUM | GHSA-3q42-xmxv-9vfr | openclaw: privilege escalation to admin voice config persistence | openclaw | — |
| HIGH | GHSA-vfw7-6rhc-6xxg | openclaw: env var injection via workspace config | openclaw | — |
| LOW | GHSA-4f8g-77mw-3rxc | OpenClaw: gateway auth expands read to write privilege | openclaw | — |
| MEDIUM | GHSA-67mf-f936-ppxf | OpenClaw: scope misconfiguration enables unauthorized node pairing | openclaw | — |
| HIGH | GHSA-5wj5-87vq-39xm | openclaw: auth bypass enables exec escalation on reconnect | openclaw | — |
| MEDIUM | GHSA-vc32-h5mq-453v | OpenClaw: cross-channel allowlist write bypass | openclaw | — |
| MEDIUM | GHSA-68x5-xx89-w9mm | OpenClaw: stale auth closure bypasses gateway access control | openclaw | — |
| MEDIUM | GHSA-cmfr-9m2r-xwhq | OpenClaw: auth bypass enables persistent browser profile mutation | openclaw | — |
| CRITICAL | CVE-2026-40111 | PraisonAI: RCE via shell injection in memory hooks executor | praisonaiagents | — |
| LOW | GHSA-cm8v-2vh9-cxf3 | openclaw: git env var injection enables host redirect | openclaw | — |
| MEDIUM | GHSA-x783-xp3g-mqhp | PraisonAI: SQL injection via table_prefix exposes DB | PraisonAI | — |
| HIGH | GHSA-r6xh-pqhr-v4xh | openclaw: MCP owner-context spoofing, privilege escalation | openclaw | — |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | — |
| MEDIUM | GHSA-q3jj-46pq-826r | openclaw: ACP child session security envelope bypass | openclaw | — |
| UNKNOWN | CVE-2026-41686 | @anthropic-ai/sdk: insecure file perms expose agent memory | @anthropic-ai/sdk | — |
| MEDIUM | GHSA-c28g-vh7m-fm7v | openclaw: auth bypass in owner command enforcement | openclaw | — |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | — |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | — |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | — |
| MEDIUM | GHSA-h2vw-ph2c-jvwf | OpenClaw: env injection exposes MiniMax API key | openclaw | — |
| MEDIUM | GHSA-mj59-h3q9-ghfh | openclaw: env var injection via MCP stdio config | openclaw | — |
| MEDIUM | GHSA-hxvm-xjvf-93f3 | openclaw: env namespace injection steers agent runtime | openclaw | — |
| LOW | GHSA-xrq9-jm7v-g9h7 | OpenClaw: auth bypass enables cross-device session hijack | openclaw | — |
| MEDIUM | GHSA-2xcp-x87w-q377 | openclaw: session key auth bypass in webhook routing | openclaw | — |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | — |