22 matches found
CVE-2026-54771
Langroid prior to 0.65.3 is affected. A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Root cause: the tool dispatch path in agent_response → handle_message → get...
CVE-2026-54771 Langroid: handle_message() executes user-supplied tool JSON without sender verification
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Version...
GHSA-GJGQ-W2M6-WR5Q Langroid: handle_message() executes user-supplied tool JSON without sender verification
Summary A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Details enablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate...
CVE-2026-40047
CVE-2026-40047 concerns Apache Camel’s camel-docling: Insufficient validation of custom CLI arguments allows argument injection and path traversal in DoclingProducer. The issue arises when unvalidated values in CamelDoclingCustomArguments (or path-bearing headers) reach the external docling tool ...
PT-2026-56064
Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.65.3 Description An application using this framework that exposes a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads. This occurs even when tools are registered with use=Fals...
CVE-2026-54309
CVE-2026-54309 affects n8n when using the MCP Browser extension in HTTP transport mode. The MCP endpoint accepts unauthenticated session initialization and tool invocation requests, enabling network-reachable clients (or websites visited by the user) to establish an MCP session and invoke browser...
MCP Server Kubernetes 安全漏洞
MCP Server Kubernetes is a Kubernetes management server developed by Suyog Sonwalkar. Versions of MCP Server Kubernetes prior to 3.6.0 contained security vulnerabilities. These vulnerabilities stemmed from access control being executed at the tool discovery layer but not at the execution layer,...
CVE-2026-45366 typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual validates the discovery URL against an HTT...
Security, Privacy, and Ethical Risks in OpenClaw
This paper systematically investigates the security, privacy, and ethical risks, as well as the traceability challenges of OpenClaw, a locally executable AI agent system for natural language interaction and real-world task completion. While OpenClaw shows strong potential for personal assistance,...
NPM: Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
NPM: Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret vulnerability discovered by ? in WordPress Npm network-ai versions = 5.4.4...
CVE-2026-45350
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chatcompletion API, t...
DNS Rebinding
MCP Java SDK is vulnerable to DNS Rebinding. The vulnerability is due to lack of Origin Validation, allowing a malicious website to bypass same-origin restrictions and access a local or network-private MCP server via the victim’s browser, enabling unauthorized tool invocation...
redhound-arsenal
Red Hound Arsenal Agent-consumable security skill library for...
OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval
Summary OpenClaw Gateway exposes an authenticated HTTP endpoint POST /tools/invoke intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments: - The HTTP gateway layer did not deny high-risk session...
CVE-2026-25805
CVE-2026-25805 affects Zed Editor prior to version 0.219.4, where the tool invocation parameters were not shown before asking for approval or after a tool run. This could allow unintended or malicious values to be used without user awareness. The vulnerability is mitigated by the 0.219.4 patch, w...
Zed 安全漏洞
Zed is a code editor developed by Zed Industries. Versions of Zed prior to 0.219.4 contained security vulnerabilities. These vulnerabilities stemmed from insufficient display of tool invocation parameters, allowing malicious values to be used without being detected by users...
AgenticSCR: An Autonomous Agentic Secure Code Review for Immature Vulnerabilities Detection
Secure code review is critical at the pre-commit stage, where vulnerabilities must be caught early under tight latency and limited-context constraints. Existing SAST-based checks are noisy and often miss immature, context-dependent vulnerabilities, while standalone Large Language Models LLMs are...
From runtime risk to real‑time defense: Securing AI agents
AI agents, whether developed in Microsoft Copilot Studio or on alternative platforms, are becoming a powerful means for organizations to create custom solutions designed to enhance productivity and automate organizational processes by seamlessly integrating with internal data and systems. From a...
EUVD-2025-28908
Malicious code in bioql PyPI...
Exploit Tool Invocation Prompt for Tool Behavior Hijacking in LLM-Based Agentic System
LLM-based agentic systems leverage large language models to handle user queries, make decisions, and execute external tools for complex tasks across domains like chatbots, customer service, and software engineering. A critical component of these systems is the Tool Invocation Prompt TIP, which...