AI Threat Alert
ATLAS Landscape
AML.T0083
Credentials from AI Agent Configuration
Adversaries may access the credentials of other tools or services on a system from the configuration of an AI agent. AI Agents often utilize external tools or services to take actions, such as querying databases, invoking APIs, or interacting with cloud resources. To enable these functions, credentials like API keys, tokens, and connection strings are frequently stored in configuration files. While there are secure methods such as dedicated secret managers or encrypted vaults that can be deployed to store and manage these credentials, in practice they are often placed in less protected locations for convenience or ease of deployment. If an attacker can read or extract these configurations, they may obtain valid credentials that allow direct access to sensitive systems outside the agent itself.
149 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | 10.0 | |
| CRITICAL | CVE-2026-33663 | n8n: member role steals plaintext HTTP credentials | n8n | 10.0 |
| CRITICAL | CVE-2026-21858 | n8n: Input Validation flaw enables exploitation | n8n | 10.0 |
| CRITICAL | CVE-2025-59528 | Flowise: Unauthenticated RCE via MCP config injection | flowise | 10.0 |
| CRITICAL | CVE-2026-27494 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-25115 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2026-21877 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27495 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-27577 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-33309 | langflow: Path Traversal enables file access | langflow | 9.9 |
| CRITICAL | CVE-2026-25053 | n8n: Command Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-25052 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-25049 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-1470 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-0863 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2025-68668 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2025-61260 | OpenAI Codex CLI: RCE via malicious MCP config files | @openai/codex | 9.8 |
| CRITICAL | CVE-2024-37014 | Langflow: unauthenticated RCE via custom component API | langflow | 9.8 |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| CRITICAL | CVE-2025-58434 | Flowise: auth bypass in reset flow allows full ATO | flowise | 9.8 |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| CRITICAL | CVE-2026-30824 | Flowise: auth bypass exposes NVIDIA NIM container endpoints | flowise | 9.8 |
| CRITICAL | CVE-2026-27966 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-39890 | PraisonAI: YAML deserialization enables unauthenticated RCE | praisonai | 9.8 |
| CRITICAL | CVE-2026-41276 | Flowise: auth bypass enables full account takeover via reset | flowise | 9.8 |
| CRITICAL | CVE-2026-41267 | Flowise: mass assignment auth bypass in registration | flowise | 9.8 |
| CRITICAL | CVE-2026-41268 | Flowise: unauthenticated RCE via NODE_OPTIONS env injection | flowise | 9.8 |
| CRITICAL | CVE-2024-42835 | Langflow: Unauthenticated RCE via PythonCodeTool | langflow | 9.8 |
| CRITICAL | CVE-2025-59434 | Flowise Cloud: cross-tenant env var exposure leaks API keys | 9.6 | |
| CRITICAL | CVE-2025-55526 | n8n-workflows: path traversal in download_workflow endpoint | fastapi | 9.1 |
| CRITICAL | CVE-2026-27825 | mcp-atlassian: Path Traversal enables file access | mcp-atlassian | 9.1 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| CRITICAL | CVE-2026-27493 | n8n: Code Injection enables RCE | n8n | 9.0 |
| HIGH | CVE-2025-62726 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2026-6543 | Langflow: RCE exposes API keys and DB credentials | langflow | 8.8 |
| HIGH | CVE-2025-68613 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-65964 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-56265 | n8n: unrestricted file upload RCE via Chat Trigger | n8n | 8.8 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2025-57760 | Langflow: privilege escalation to full superuser via CLI | langflow | 8.8 |
| HIGH | CVE-2026-25056 | n8n: Arbitrary File Upload enables RCE | n8n | 8.8 |
| HIGH | CVE-2025-61687 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-41137 | Flowise: RCE via CSVAgent unsanitized code injection | flowise | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| HIGH | CVE-2026-30820 | Flowise: header spoof auth bypass exposes admin API & creds | flowise | 8.8 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-33713 | n8n: SQLi in Data Table node, full DB compromise | n8n | 8.8 |
| HIGH | CVE-2026-27497 | n8n: SQL Injection exposes database | n8n | 8.8 |
| HIGH | CVE-2023-27563 | n8n: privilege escalation exposes full workflow admin | n8n | 8.8 |
| HIGH | GHSA-qwgj-rrpj-75xm | PraisonAI: hardcoded approval bypass enables RCE | PraisonAI | 8.8 |
| HIGH | CVE-2026-25580 | pydantic-ai: SSRF allows internal network access | pydantic-ai-slim | 8.6 |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| HIGH | CVE-2026-39974 | n8n-MCP: SSRF exposes cloud metadata via MCP headers | 8.5 | |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| HIGH | CVE-2025-68664 | langchain-core: Deserialization enables RCE | langchain_core | 8.2 |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| HIGH | CVE-2026-33665 | n8n: LDAP email match enables permanent account takeover | n8n | 8.2 |
| HIGH | CVE-2026-41273 | Flowise: auth bypass exposes OAuth 2.0 tokens | flowise | 8.2 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| HIGH | GHSA-48m6-ch88-55mj | Flowise: Mass Assignment allows cross-tenant org takeover | flowise | 8.1 |
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| HIGH | CVE-2026-34222 | Open WebUI: access control bypass leaks Tool Valve API keys | open-webui | 7.7 |
| HIGH | GHSA-hr5v-j9h9-xjhg | OpenClaw: sandbox escape via mediaUrl path traversal | openclaw | 7.7 |
| HIGH | CVE-2024-7959 | Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets | open-webui | 7.7 |
| HIGH | CVE-2025-61917 | n8n: Info Disclosure leaks sensitive data | n8n | 7.7 |
| HIGH | CVE-2024-36420 | Flowise: unauthenticated arbitrary file read via API | flowise | 7.5 |
| HIGH | CVE-2026-33497 | langflow: Path Traversal enables file access | langflow | 7.5 |
| HIGH | CVE-2026-21852 | claude_code: Weak Credentials allow account compromise | claude_code | 7.5 |
| HIGH | CVE-2025-0330 | LiteLLM: Langfuse API key leak via error handling | litellm | 7.5 |
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2024-34510 | Gradio: credential leakage via Windows path encoding bug | gradio | 7.5 |
| HIGH | CVE-2023-27564 | n8n: unauthenticated info disclosure exposes credentials | n8n | 7.5 |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| HIGH | CVE-2026-41278 | Flowise: credential exposure in public chatflow API | flowise | 7.5 |
| HIGH | CVE-2026-41275 | Flowise: HTTP password reset link allows MITM takeover | flowise | 7.5 |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| HIGH | CVE-2025-65098 | typebot: XSS enables session hijacking | 7.4 | |
| HIGH | CVE-2025-8709 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | CVE-2026-21893 | n8n: Input Validation flaw enables exploitation | n8n | 7.2 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |
| HIGH | GHSA-2x8m-83vc-6wv4 | Flowise: SSRF bypass exposes internal services | flowise-components | 7.1 |
| MEDIUM | CVE-2026-27496 | n8n: uninitialized buffer leaks secrets via Task Runner | n8n | 6.5 |
| MEDIUM | CVE-2025-14980 | BetterDocs: Info Disclosure leaks sensitive data | 6.5 | |
| MEDIUM | CVE-2026-25631 | n8n: Input Validation flaw enables exploitation | n8n | 6.5 |
| MEDIUM | GHSA-mvv8-v4jj-g47j | Directus: cleartext storage exposes AI API keys | 6.5 | |
| MEDIUM | CVE-2025-57749 | n8n: symlink traversal enables arbitrary file read/write | n8n | 6.5 |
| MEDIUM | CVE-2026-43570 | OpenClaw: symlink traversal exposes host filesystem | openclaw | 6.5 |
| MEDIUM | CVE-2023-27562 | n8n: path traversal allows arbitrary file read | n8n | 6.5 |
| MEDIUM | CVE-2026-3346 | Langflow Desktop: stored XSS enables credential theft | langflow | 6.4 |
| MEDIUM | CVE-2026-40117 | PraisonAI: arbitrary file read via unguarded skill tool | praisonaiagents | 6.2 |
| MEDIUM | CVE-2024-37146 | Flowise: reflected XSS enables credential theft | flowise | 6.1 |
| MEDIUM | CVE-2024-36423 | Flowise: reflected XSS in chatflow API enables session hijack | flowise | 6.1 |
| MEDIUM | CVE-2024-37145 | Flowise: reflected XSS enables file read chain via chatflow | flowise | 6.1 |
| MEDIUM | GHSA-2qqc-p94c-hxwh | Flowise: hardcoded session secret enables auth bypass | flowise | 5.6 |
| MEDIUM | GHSA-cc4f-hjpj-g9p8 | Flowise: hardcoded JWT defaults enable full auth bypass | flowise | 5.6 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| MEDIUM | CVE-2026-44479 | vercel: auth token leak in AI agent non-interactive mode | 5.5 | |
| MEDIUM | GHSA-cqmh-pcgr-q42f | @axonflow/openclaw: credential exposure via insecure file permissions | @axonflow/openclaw | 5.5 |
| MEDIUM | CVE-2025-61914 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2025-52478 | n8n: Stored XSS enables full account takeover | n8n | 5.4 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | CVE-2025-68697 | n8n: security flaw enables exploitation | n8n | 5.4 |
| MEDIUM | CVE-2026-27578 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-25051 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-25054 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2023-34094 | ChuanhuChatGPT: config exposure leaks API keys | chuanhuchatgpt | 5.3 |
| MEDIUM | GHSA-6pcv-j4jx-m4vx | Flowise: unauthenticated SSO config exposes OAuth secrets | flowise | 5.3 |
| MEDIUM | CVE-2026-2589 | Greenshift: Info Disclosure leaks sensitive data | 5.3 | |
| MEDIUM | CVE-2026-33722 | n8n: secrets vault bypass exposes credentials to low-priv users | n8n | 5.3 |
| MEDIUM | CVE-2026-6598 | Langflow: cleartext auth storage exposes API keys | langflow | 4.3 |
| MEDIUM | GHSA-wg4g-395p-mqv3 | n8n-mcp: credential exposure via HTTP transport logging | n8n-mcp | 4.3 |
| MEDIUM | CVE-2025-6854 | Langchain-Chatchat: path traversal in file API exposes host FS | langchain-chatchat | 4.3 |
| MEDIUM | CVE-2026-42282 | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | 4.3 | |
| LOW | CVE-2026-4993 | OpenUI: hard-coded LiteLLM master key credential leak | 3.3 | |
| LOW | CVE-2026-6597 | langflow: Plaintext credential storage via Flow API | langflow | 2.7 |
| MEDIUM | GHSA-83f3-hh45-vfw9 | OpenClaw: cleartext WebSocket exposes gateway credentials | openclaw | — |
| MEDIUM | GHSA-93rg-2xm5-2p9v | openclaw: auth bypass exposes Gateway bootstrap config | openclaw | — |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | — |
| UNKNOWN | CVE-2026-0772 | langflow: Deserialization enables RCE | langflow | — |
| MEDIUM | GHSA-c28g-vh7m-fm7v | openclaw: auth bypass in owner command enforcement | openclaw | — |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | — |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | — |
| HIGH | GHSA-x5w6-38gp-mrqh | Flowise: HTTP reset link exposes tokens to MITM takeover | flowise | — |
| UNKNOWN | CVE-2026-42234 | n8n: Python sandbox escape enables container RCE | n8n | — |
| UNKNOWN | CVE-2026-42227 | n8n: IDOR leaks cross-project variables via API key | n8n | — |
| MEDIUM | GHSA-h2vw-ph2c-jvwf | OpenClaw: env injection exposes MiniMax API key | openclaw | — |
| LOW | GHSA-j4c5-89f5-f3pm | openclaw: SSRF policy bypass in CDP browser profile creation | openclaw | — |
| HIGH | GHSA-v4p8-mg3p-g94g | litellm: RCE via MCP test endpoints privilege bypass | litellm | — |
| UNKNOWN | CVE-2026-0769 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2024-12775 | Dify: SSRF via custom tool URL enables credential theft | — | |
| UNKNOWN | CVE-2026-34046 | Langflow: IDOR exposes flows and plaintext API keys | langflow | — |
| UNKNOWN | CVE-2026-30822 | Flowise: mass assignment allows unauthenticated DB injection | flowise | — |
| UNKNOWN | CVE-2026-2285 | CrewAI: arbitrary file read via JSON loader tool | — | |
| UNKNOWN | CVE-2026-30823 | Flowise: IDOR enables account takeover and SSO bypass | flowise | — |
| CRITICAL | GHSA-xh72-v6v9-mwhc | OpenClaw: auth bypass enables unauthenticated command exec | openclaw | — |
| HIGH | CVE-2026-35629 | openclaw: SSRF in channel extensions hits internal network | openclaw | — |
| UNKNOWN | CVE-2025-11203 | LiteLLM: Info Disclosure leaks sensitive data | — | |
| HIGH | GHSA-f6hc-c5jr-878p | Flowise: auth bypass enables account takeover via null token | flowise | — |
| UNKNOWN | CVE-2026-42226 | n8n: IDOR exposes cross-user API key exfiltration | n8n | — |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | — |
| MEDIUM | GHSA-x783-xp3g-mqhp | PraisonAI: SQL injection via table_prefix exposes DB | PraisonAI | — |
| HIGH | GHSA-4jpm-cgx2-8h37 | Flowise: unauth API exposes plaintext API keys and tokens | flowise | — |
| MEDIUM | GHSA-3fv3-6p2v-gxwj | openclaw: SSRF bypass in QQ Bot media fetch paths | openclaw | — |
| LOW | GHSA-5fc7-f62m-8983 | OpenClaw: local file read bypasses workspace policy | openclaw | — |
| MEDIUM | GHSA-vjx8-8p7h-82gr | openclaw: SSRF in marketplace plugin download | openclaw | — |
| UNKNOWN | CVE-2026-0768 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | — |
| LOW | GHSA-767m-xrhc-fxm7 | openclaw: operator.write escalates to admin Telegram config + cron | openclaw | — |