AI Threat Alert
ATLAS Landscape
AML.T0112.000
Local AI Agent
Adversaries may achieve full system compromise by abusing AI agents running locally on a host, such as computer-use agents or AI-driven browsers. These agents are designed to autonomously interact with the operating system, applications, and external services, often with broad permissions to execute commands, access files, manage credentials, and control user workflows. If an adversary is able to take control of an AI agent's behavior, they effectively gain the same level of access as the agent. This can result in complete control over the machine, including executing arbitrary code, accessing or exfiltrating sensitive data, modifying system configurations, and establishing persistence.
25 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-44211 | cline: WebSocket auth bypass enables terminal RCE | 9.6 | |
| CRITICAL | GHSA-8x8f-54wf-vv92 | PraisonAI: auth bypass enables browser session hijack | PraisonAI | 9.1 |
| CRITICAL | CVE-2026-39305 | PraisonAI: path traversal enables arbitrary file write/RCE | PraisonAI | 9.0 |
| HIGH | CVE-2026-39891 | praisonai: SSTI enables RCE via agent instructions | praisonai | 8.8 |
| HIGH | CVE-2026-35020 | Claude Code CLI: OS command injection via TERMINAL env | claude-code | 8.4 |
| HIGH | GHSA-x462-jjpc-q4q4 | praisonaiagents: CORS bypass enables silent agent RCE | praisonaiagents | 8.1 |
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| MEDIUM | CVE-2026-26320 | OpenClaw: UI deception enables arbitrary command execution | openclaw | 6.5 |
| MEDIUM | CVE-2026-42045 | LobeChat: XSS-to-RCE via exposed Electron IPC | @lobehub/lobehub | 6.2 |
| MEDIUM | GHSA-cmfr-9m2r-xwhq | OpenClaw: auth bypass enables persistent browser profile mutation | openclaw | — |
| MEDIUM | GHSA-whf9-3hcx-gq54 | OpenClaw: token rotation bypasses role approval | openclaw | — |
| MEDIUM | GHSA-q2gc-xjqw-qp89 | OpenClaw: eval approval bypass enables unintended code exec | openclaw | — |
| LOW | GHSA-cm8v-2vh9-cxf3 | openclaw: git env var injection enables host redirect | openclaw | — |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | — | |
| HIGH | GHSA-wppj-c6mr-83jj | openclaw: TOCTOU sandbox escape via symlink swap | openclaw | — |
| MEDIUM | GHSA-mj59-h3q9-ghfh | openclaw: env var injection via MCP stdio config | openclaw | — |
| HIGH | CVE-2026-39861 | Claude Code: sandbox escape via symlink allows arbitrary write | @anthropic-ai/claude-code | — |
| HIGH | GHSA-7437-7hg8-frrw | OpenClaw: env var injection enables host RCE | openclaw | — |
| MEDIUM | GHSA-w9j9-w4cp-6wgr | openclaw: env var injection enables host exec hijacking | openclaw | — |
| MEDIUM | GHSA-w8g9-x8gx-crmm | OpenClaw: SSRF bypass via Playwright redirect handling | openclaw | — |
| MEDIUM | GHSA-vr5g-mmx7-h897 | OpenClaw: SSRF bypass via interaction-triggered navigation | openclaw | — |
| MEDIUM | GHSA-67mf-f936-ppxf | OpenClaw: scope misconfiguration enables unauthorized node pairing | openclaw | — |
| MEDIUM | GHSA-5h3f-885m-v22w | openclaw: WS sessions persist after gateway token rotation | openclaw | — |
| LOW | GHSA-25wv-8phj-8p7r | OpenClaw: auth rate-limit bypass via async race condition | openclaw | — |
| HIGH | GHSA-5wj5-87vq-39xm | openclaw: auth bypass enables exec escalation on reconnect | openclaw | — |