AI Threat Alert
ATLAS Landscape
AML.T0110
AI Agent Tool Poisoning
Adversaries may achieve persistence by poisoning tools used by AI agents including built-in tools or tools available to the agent via Model Context Protocol (MCP) connections. This involves compromising benign tools already integrated into the agent's environment. By altering tool behavior such as modifying parameters or descriptions, injecting hidden logic, or redirecting outputs, attackers can maintain long-term influence over the agent's actions, decisions, or external interactions. Poisoned tools may silently exfiltrate data, execute unauthorized commands, or manipulate downstream processes without raising suspicion.
9 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-39891 | praisonai: SSTI enables RCE via agent instructions | praisonai | 8.8 |
| HIGH | GHSA-g985-wjh9-qxxc | PraisonAI: untrusted tools.py import enables RCE | PraisonAI | 8.4 |
| HIGH | CVE-2026-40156 | PraisonAI: auto tools.py load enables local RCE | praisonai | 7.8 |
| MEDIUM | CVE-2026-4502 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| CRITICAL | CVE-2026-40111 | PraisonAI: RCE via shell injection in memory hooks executor | praisonaiagents | — |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | — |
| MEDIUM | GHSA-2qrv-rc5x-2g2h | OpenClaw: untrusted plugin RCE via workspace channel setup | openclaw | — |
| LOW | GHSA-767m-xrhc-fxm7 | openclaw: operator.write escalates to admin Telegram config + cron | openclaw | — |
| MEDIUM | GHSA-w6wx-jq6j-6mcj | openclaw: script swap bypasses pnpm dlx approval | openclaw | — |