Ilya Kabanov

What 384 Agent Platform CVEs Reveal

On March 5, VulnCheck published 45 vulnerabilities in OpenClaw. Through late March, Fudan's Secsys lab broke the command safety controls in 9 coding agents. On March 30, CERT/CC found 3 criticals in CrewAI on first contact. On April 3 and 4, PraisonAI received its first security look: 10 CVEs, 5 critical, including a CVSS 10.0 sandbox bypass. Four independent research teams in one month, same vulnerability classes across unrelated products: sandbox escapes, auth bypasses, command injection in the safety layer itself.

I pulled the full CVE history for 17 agent platforms. Thirteen have CVEs: 384 total, 74 critical. Four platforms with zero CVEs are from Anthropic, Google, OpenAI, and Microsoft.

384 agent platform CVEs across 17 platforms
384 agent platform CVEs across 17 platforms

OpenClaw: 238 CVEs in less than four months. 348K GitHub stars.

OpenClaw patches. Researchers find the same bug class in the next file over. OpenClaw patches again. In February, depthfirst and Ethiack chained the first 1-click RCEs; OpenClaw fixed them. On March 5, VulnCheck published 45 more in code paths the February fixes never touched. Since March 24, another 44 have landed, 7 critical. One class alone, CWE-863 (incorrect authorization), accounts for 40 of the 238 CVEs, spread across every disclosure batch: 2 in February, 25 through mid-March, 13 since March 24. The same class appears in the core gateway, approvals engine, sandbox, subagent tree, and in ten separate chat plugins (Slack, Discord, Teams, Signal, Feishu, Zalo, BlueBubbles, Nextcloud, Synology, Google Chat).

LangChain: 51 CVEs over 3 years, 23 critical. 132K stars.

The 2023 CVEs were code execution via exec() and os.system in PALChain. Every fix was a blocklist; every blocklist was bypassed. CVE-2023-36258, then CVE-2023-44467, then CVE-2024-27444: three rounds in eight months, the last two via __import__. Since 2025 the surface expanded: four SSRF (CVE-2025-2828 at CVSS 10.0), four path traversal (latest CVE-2026-34070 on March 31), two deserialization, and code execution still appearing in 2025 and 2026.

n8n: 53 CVEs, 20 critical. 182K stars.

A workflow automation tool, not marketed as an agent framework, but where enterprises wire AI into production workflows. The pattern is expression evaluation: user-supplied expressions in node configurations reach a dynamic code evaluator. CVE-2025-68613 (CWE-913) and CVE-2026-1470 (CWE-95) are both expression evaluation RCEs at CVSS 9.9. CISA added CVE-2025-68613 to the KEV catalog on March 11, 2026; n8n is the only platform in this dataset with a KEV listing. Ten more CVEs landed on March 25, one critical.

PraisonAI: 10 CVEs on first look, 5 critical. 7K stars.

Published April 3 and 4. CVE-2026-34938 (CVSS 10.0, CWE-693): the code sandbox blocks dangerous constructs by calling startswith() on the input; the attacker passes a str subclass with startswith() overridden to always return False, and the underlying payload executes. CVE-2026-34953 (CVSS 9.1, CWE-863): OAuthManager.validate_token() returns True for any token not in its internal store, which is empty by default. CVE-2026-34935 (CVSS 9.8, CWE-78): --mcp CLI argument passed straight to shlex.split() and into subprocess. Same pattern as OpenClaw and CrewAI: every layer tested, every layer broken.

CrewAI: 4 CVEs on first look, 75% critical rate. 48K stars.

Zero CVEs until March 30. CERT/CC found 4 in one day. The most telling: CrewAI's CodeInterpreter falls back to a weaker in-process Python sandbox when Docker is unavailable (CVE-2026-2275, CVSS 9.6, CWE-749: Exposed Dangerous Method). The CWE is literal: the dangerous fallback is intentional, not an accident. Fail-open by design.

The rest.

LlamaIndex (48K stars): 7 CVEs, including SQL injection in the Text-to-SQL query engine (NLSQLTableQueryEngine) and command injection in RunGptLLM. Smolagents (26K stars): 5 CVEs, including a CVSS 10.0 deserialization RCE (CVE-2025-14931). LangGraph (28K stars): 7 CVEs, 6 in the checkpointer layer (SQLite, Redis, and base interface); 3 deserialization, 3 SQL injection, 1 generic injection. Semantic Kernel (28K stars): 2 CVEs, both CVSS 9.9 (path traversal and code injection). Agno (39K stars): 2 CVEs; the second, CVE-2026-35002 (CVSS 9.3 critical), landed April 2. PydanticAI (16K stars): 3 CVEs (2 SSRF, 1 combined path traversal and XSS). Dify (136K stars): 1 CVE. Mastra (23K stars): 1 CVE.

The clean four.

Four platforms have zero CVEs. All four come from frontier labs or Microsoft: Microsoft Agent Framework (Microsoft, 9K stars), Claude Agent SDK (Anthropic), Google ADK (Google, 19K stars), OpenAI Agents SDK (OpenAI, 21K stars). Every platform outside that set has CVEs, and 9 of 13 have criticals.

What keeps breaking.

Across 384 CVEs, three patterns dominate. Injection runs through LangChain's three-year history and n8n's 20 criticals: exec(), eval(), expression engines reaching code execution sinks. Access control is concentrated in OpenClaw's 238 CVEs, where scope escalation and missing authorization checks make the permission model the primary attack surface. Sandbox escapes show up in CrewAI, PraisonAI, and smolagents independently, same class in unrelated code. The attack surface changes across platforms. The vulnerability classes don't.

My take:

  1. n8n is the first agent platform in CISA's Known Exploited Vulnerabilities catalog. CVE-2025-68613 was added March 11; the BOD 22-01 remediation deadline passed March 25. n8n is not marketed as an AI agent platform. It is a workflow automation tool adopted by ops and business teams to automate processes. Overall, it has a rich CVE footprint: 53 CVEs, 20 critical, and 10 new ones on March 25 alone. Check for self-hosted n8n usage in your company.
  2. The four frontier-lab agent SDKs have zero CVEs but not zero vulnerabilities. Their GitHub issues contain authorization bypasses, SQL injection, path traversal, and OAuth secret exposure, the same classes that generated 384 CVEs in the other platforms. Google and Microsoft have formal internal security intake processes. OpenAI and Anthropic don't have a SECURITY.md in their agent SDK GitHub repos. None of the four have published a single advisory. If your vulnerability management runs on CVEs, the vulnerabilities in these four platforms won't show up.
  3. OpenClaw patches fast but every fix is a point fix. The permission model needs an architecture-level redesign. Until that ships, treat it as not ready for enterprise deployment.
  4. When evaluating an agent framework, check three things: can untrusted code escape the sandbox, can a low-privilege caller escalate scope, and are endpoints open by default when deployed without configuration. Every platform in this dataset that failed, failed on at least one of these three.

Sources:

  1. National Vulnerability Database (NVD)
  2. CISA Known Exploited Vulnerabilities Catalog
  3. OpenClaw Security Advisories
  4. CERT/CC VU#221883 (CrewAI)
  5. Fudan Secsys: LLM Tool Calling CVEs
  6. RAXE Labs: PraisonAI Vulnerability Cluster (RAXE-2026-050)
  7. RAXE Labs: LangChain Path Traversal (RAXE-2026-046)
  8. VulnCheck OpenClaw Advisory