Research Note | 2026-03-27 | Status: draft
CVE and CWE Agentic Vulnerability Catalog: Weakness Classes Introduced by Autonomous AI Agents
Key Takeaways
- More than 30 CVEs targeting the Model Context Protocol ecosystem were filed in the sixty days between January and March 2026, exposing foundational security failures in the agentic infrastructure layer before the industry reached widespread production deployment [1].
- The CWE taxonomy contains no weakness categories addressing goal misalignment, behavioral drift, memory poisoning, or delegation chain privilege escalation—the four most commonly observed failure modes in confirmed agentic incidents.
- CVE-2025-6514, carrying a CVSS score of 9.6, demonstrated that a single malicious MCP server can achieve pre-authenticated remote code execution against any connected LLM client through OS command injection in the OAuth flow [2].
- The OpenClaw framework accumulated four confirmed CVEs between January and February 2026, representing the first clustered vulnerability disclosure cycle against a production agentic AI runtime [3][4][5][6].
- The CSAI Foundation, launched March 23, 2026, has included operation of a CVE Numbering Authority scoped to agentic AI in its founding program portfolio, positioning the organization to address the current gap in structured vulnerability tracking for autonomous agent systems [7].
Background
The CVE program has served as the backbone of coordinated vulnerability disclosure since 1999, providing a common language for identifying, defining, and cataloging publicly disclosed cybersecurity weaknesses in software and firmware [8]. The Common Weakness Enumeration extends this infrastructure by classifying the underlying coding and design errors that give rise to vulnerabilities, enabling root-cause analysis across the software development lifecycle. Together, these systems and the CVSS severity scoring framework have enabled a mature, interoperable vulnerability management ecosystem that underlies patch management programs, threat intelligence feeds, and regulatory compliance regimes worldwide.
The emergence of autonomous AI agents disrupts each layer of this infrastructure in distinct ways. The CVE program’s intake processes were designed to evaluate vulnerabilities with reproducible, deterministic exploitation paths. Agentic vulnerabilities frequently do not conform to this model: a memory-poisoned agent may behave maliciously only under specific conversational contexts that resist controlled reproduction, and a goal-misaligned agent may produce harmful outcomes without any exploitable code defect in the classical sense. The CWE taxonomy’s weakness classes address memory management errors, injection flaws, authentication failures, and similar code-level patterns. It contains no vocabulary for describing an agent that has been manipulated into pursuing attacker-controlled objectives through natural language alone, nor for an agent whose behavior degrades over time as accumulated context corrupts its reasoning chain.
The practical consequences of these gaps became visible with unusual speed. The Model Context Protocol, introduced by Anthropic in late 2024 to provide a standardized interface for connecting LLM clients to external tools and data sources, attracted more than 30 CVE filings within roughly sixty days of gaining significant ecosystem adoption in early 2026 [1]. The OpenClaw agentic framework, which achieved production use across tens of thousands of developer environments, accumulated four distinct CVEs in January and February 2026 alone, spanning WebSocket authentication theft, Docker sandbox command injection, SSH target injection, and server-side request forgery [3][4][5][6]. These disclosures arrived faster than any single research team could triage under existing CNA workflows, and none of them mapped cleanly to existing CWE weakness categories.
Known Agentic CVE Catalog
The following table consolidates confirmed CVEs affecting agentic AI infrastructure filed through March 2026. It is organized by affected component category. Severity scores reflect NVD assessments at time of publication. The catalog is expected to expand materially as additional researchers and vendors engage with MCP-adjacent tooling and agentic runtime platforms.
MCP Protocol and Server Infrastructure
| CVE ID | CVSS | Affected Component | Description | Discovery Source |
|---|---|---|---|---|
| CVE-2025-6514 | 9.6 (Critical) | mcp-remote (all versions ≤0.1.15) | OS command injection via malicious authorization_endpoint URL during OAuth flow; pre-authentication RCE affecting any LLM client using mcp-remote as a proxy |
JFrog Security Research [2] |
| CVE-2025-68143 | High | mcp-server-git ≤2025.12.17 | git_init tool accepts arbitrary filesystem paths without validation, enabling conversion of any directory into a Git repository accessible to subsequent MCP operations |
Cyata / SecurityWeek [9] |
| CVE-2025-68144 | High | mcp-server-git ≤2025.12.17 | Argument injection in git_diff and git_checkout via unsanitized user-controlled arguments passed directly to GitPython; --output flag injection enables overwrite of arbitrary files |
Cyata / The Hacker News [10] |
| CVE-2025-68145 | High | mcp-server-git ≤2025.12.17 | Path validation bypass on --repository flag restriction; subsequent tool calls can reference repositories outside the configured boundary, enabling access to any repository on the system |
Cyata / CSO Online [11] |
OpenClaw Agentic Framework
| CVE ID | CVSS | Affected Component | Description | Discovery Source |
|---|---|---|---|---|
| CVE-2026-25253 | 8.8 (High) | OpenClaw Control UI ≤v0.4.2 | One-click RCE via WebSocket authentication token exfiltration; browser’s cross-origin rules do not restrict WebSocket, enabling any malicious webpage to connect to the local instance, disable confirmation prompts, escape the container, and execute shell commands | NCC Group [3] |
| CVE-2026-24763 | High | OpenClaw Docker executor ≤2026.1.28 | Authenticated command injection via unsanitized PATH environment variable in Docker sandbox shell command construction; attacker with env-var control executes arbitrary commands within container context |
Endor Labs [4] |
| CVE-2026-25157 | High | OpenClaw SSH handler ≤2026.1.28 | Dual-vector RCE: (1) unescaped project path interpolated into error echo statement enables remote SSH host exploitation; (2) parseSSHTarget does not reject dash-prefixed targets, enabling -oProxyCommand= injection for local code execution |
Miggo Research [5] |
| CVE-2026-26322 | Medium | OpenClaw Gateway ≤2026.2.13 | SSRF via attacker-supplied gatewayUrl parameter accepted by the Gateway tool without host restriction; enables network reconnaissance, internal service access, and cloud metadata endpoint interaction |
SentinelOne [6] |
Inter-Agent Communication and Runtime
The authzed breach timeline documents several incidents that, while not all resulting in distinct CVE assignments, illustrate the attack surface at the inter-agent communication layer. Prompt injection attacks against the GitHub MCP server enabled malicious public issues to hijack AI assistants and extract private repository contents [12]. The Anthropic MCP Inspector developer tool was found to permit unauthenticated remote code execution through its inspector–proxy architecture, enabling arbitrary command execution on developer machines [12]. An Asana MCP-server logic flaw allowed data from one organization to leak to another through improper cross-tenant isolation, a class of vulnerability the existing CWE catalog addresses for traditional multi-tenant web applications but for which no agent-specific variant exists [12].
The OWASP Agentic Security Initiative’s analysis of the MCP CVE cluster found that every one of its Top 10 for Agentic Applications risk categories has at least one documented MCP exploit [13]. The root causes were not exotic zero-days. They were missing input validation, absent authentication, and blind trust in tool descriptions—classical software engineering failures that the CWE taxonomy does describe, but that manifest in novel ways when the software in question is an autonomous agent operating on behalf of a user without real-time supervision.
CWE Gap Analysis
The Common Weakness Enumeration version 4.19, current as of this writing, contains 963 distinct weakness entries organized into views, categories, and individual CWE nodes [14]. It addresses a comprehensive range of code-level, architecture-level, and design-level weaknesses. It does not address the behavioral failure modes that define the agentic threat landscape.
This is not a deficiency in the CWE program’s execution—it is a structural consequence of the program’s design assumptions. CWE weaknesses describe properties of code artifacts: memory operations, input handling, authentication logic, cryptographic implementations. Agentic vulnerabilities describe properties of system behavior over time: how an agent’s goal representation can be corrupted through natural language interaction, how a trust relationship between two agents can be exploited through message injection, how an agent’s accumulated context degrades its alignment with its original instructions. These failure modes have no corresponding code artifact to point to, no specific function to patch, and no deterministic reproduction path that a traditional CWE entry can document.
The following subsections describe six proposed CWE extension categories. Each addresses a confirmed agentic failure mode observed in production incidents or structured research through March 2026. The proposals follow CWE’s established structure for weakness description.
Proposed CWE-AGNT-001: Goal Misalignment Through Instruction Injection
Weakness Description. An agent’s goal representation or planning state is modified by attacker-controlled input delivered through any channel the agent processes as instructions—including document contents, tool call responses, inter-agent messages, or environmental data retrieved by the agent—causing the agent to pursue objectives other than those established by its authorized operator. This weakness differs from CWE-77 (Improper Neutralization of Special Elements used in a Command) in that no OS-level command injection occurs; the manipulation operates entirely within the agent’s reasoning layer.
Common Consequences. Confidential data is exfiltrated to attacker-controlled endpoints. Authorized users are deceived or manipulated. Agent actions cause financial, reputational, or operational harm on behalf of the attacker. The agent’s corruption may persist across sessions if goal modifications are written to persistent memory.
Applicable Platforms. Any agentic system that processes external content as part of its reasoning loop, including LLM-based agents with tool access, multi-agent orchestration systems, and autonomous workflow agents.
Likelihood of Exploit. High. The OWASP Top 10 for Agentic Applications lists ASI01: Agent Goal Hijack as the highest-priority risk category. Every documented prompt injection attack against MCP servers exploits a variant of this weakness [13]. No technical sophistication beyond the ability to craft natural language instructions is required.
Detection Methods. Monitoring for deviations between an agent’s stated objectives and its observed tool invocations. Semantic anomaly detection on agent reasoning traces. Structured output validation comparing agent actions to policy-defined permitted action sets. Regular audit of persistent goal state representations in memory stores.
Mitigations. Enforce strict separation between data channels and instruction channels. Implement input validation that detects instruction-like patterns in data retrieved from external sources. Use structured output schemas that constrain the action space regardless of reasoning content. Require human confirmation for high-impact actions when the agent has processed untrusted external content in the current session.
Proposed CWE-AGNT-002: Excessive Autonomy Without Authorization Boundary Enforcement
Weakness Description. An agent is granted or assumes authority to perform actions beyond the scope of its authorized mandate, without a runtime enforcement mechanism that restricts its action space to the defined boundary. Unlike CWE-269 (Improper Privilege Management), this weakness does not require that any privilege escalation exploit be executed; the agent simply acts within an action space that was improperly scoped at design time or not enforced at runtime.
Common Consequences. The agent performs destructive, irreversible, or unauthorized actions within its operating environment. Financial transactions, data deletions, external communications, or infrastructure modifications occur without appropriate authorization. Scope creep in agent actions creates audit trails that are legally or regulatorily problematic.
Applicable Platforms. Agentic systems with broad tool access, particularly those operating in production environments with access to databases, financial systems, communication platforms, or infrastructure APIs.
Likelihood of Exploit. High. The CVE-2026-25253 exploitation chain demonstrates that an attacker who achieves any foothold in an agent’s instruction channel can leverage excessive autonomy to achieve arbitrary code execution [3]. The authzed breach timeline documents multiple cases where over-privileged agent tokens were the primary attack enabler [12].
Detection Methods. Runtime monitoring of tool invocations against a declared minimal action set. Automated flagging of actions outside the agent’s documented task scope. Periodic audit of agent permission grants against principle of least privilege.
Mitigations. Apply least-privilege principles to tool grants at agent initialization. Implement runtime guardrails that enforce authorization boundaries independent of the agent’s reasoning layer. Require explicit human approval for actions in designated high-impact categories. Define and contractually bind the agent’s permitted action set before deployment.
Proposed CWE-AGNT-003: Trust Boundary Violation in Inter-Agent Communication
Weakness Description. An agent accepts instructions, data, or task delegations from another agent without verifying the sending agent’s identity, integrity, or authorization level. The receiving agent may act on forged or manipulated inter-agent messages as though they originated from a trusted orchestrator or peer. This weakness creates exploit chains in multi-agent systems where compromise of a lower-privilege agent propagates upward through the agent hierarchy.
Common Consequences. A compromised agent hijacks the actions of higher-privilege agents in the same pipeline. An attacker who injects messages into an inter-agent communication channel achieves the privilege level of the highest-trust agent in the system without directly compromising it. Agent orchestration systems fail silently when rogue agents substitute malicious task definitions.
Applicable Platforms. Multi-agent frameworks, agentic orchestration systems, and any deployment where agents delegate subtasks to other agents or accept task results from external agents.
Likelihood of Exploit. Medium to High. The OWASP ASI07: Insecure Inter-Agent Communication category is supported by documented incidents in which spoofed inter-agent messages misdirected entire agent clusters [13]. As multi-agent deployments grow more common in production, the attack surface for this weakness class expands proportionally.
Detection Methods. Cryptographic signing and verification of inter-agent messages. Monitoring for unexpected changes in agent behavior following receipt of inter-agent communications. Structured logging of all agent-to-agent message content and origin claims.
Mitigations. Require authenticated, integrity-protected communication channels for all inter-agent messaging. Implement authorization checks at the receiving agent that validate the sender’s identity against a registry of trusted agents. Apply zero-trust principles: no agent should be trusted by default, regardless of its position in the orchestration hierarchy.
Proposed CWE-AGNT-004: Behavioral Drift Through Context Accumulation
Weakness Description. An agent’s behavior progressively diverges from its authorized specification as its context window, memory store, or accumulated conversational history is gradually modified over multiple interactions. Each individual modification may fall within acceptable parameters, but the cumulative effect aligns the agent with attacker-controlled objectives or degrades its alignment with its original purpose. This weakness is distinct from single-interaction prompt injection in that it operates over time and may be undetectable at any single interaction boundary.
Common Consequences. Agents that operate in long-running or persistent session contexts gradually shift to serve attacker interests rather than authorized user interests. Detection is difficult because no single interaction triggers anomaly detection thresholds calibrated to single-turn attacks. Behavioral drift may persist across sessions if context is stored externally.
Applicable Platforms. Agents with persistent memory, long-context deployments, multi-session agents operating with shared state, and any agentic system that accumulates external data into its reasoning context over time.
Likelihood of Exploit. Medium. This weakness class is documented in research literature but has fewer confirmed production incidents than goal injection or privilege escalation. Its likelihood increases as agents are deployed in persistent, long-running operational roles.
Detection Methods. Longitudinal behavioral monitoring comparing current action patterns to baseline behaviors established at deployment. Periodic re-evaluation of agent goal alignment through structured probing. Automated context auditing to detect accumulation of instruction-like patterns in long-term memory.
Mitigations. Implement context integrity checks that detect statistically anomalous patterns in accumulated memory. Use context compartmentalization to limit the scope of influence any single data source can exert on agent reasoning. Establish behavioral baselines and automated drift detection with human escalation paths.
Proposed CWE-AGNT-005: Memory Poisoning for Persistent Behavioral Manipulation
Weakness Description. An attacker introduces malicious content into an agent’s persistent memory, knowledge base, retrieval-augmented generation store, or long-term context storage such that subsequent agent interactions are influenced by the attacker-controlled content without further attacker access. Unlike single-session prompt injection, memory poisoning survives the end of the current interaction context and affects all future sessions that retrieve the poisoned memory content.
Common Consequences. Persistent compromise of agent behavior without ongoing attacker access. Incorrect, misleading, or malicious information is treated as authoritative by the agent in all future sessions. The poisoned memory may influence downstream agents in multi-agent systems that consume outputs from the compromised agent’s memory store.
Applicable Platforms. Agents with vector databases, retrieval-augmented generation pipelines, external memory stores, and any system where agent-produced or agent-retrieved content is stored for future use.
Likelihood of Exploit. Medium to High. The OWASP Top 10 for Agentic Applications identifies ASI06: Memory and Context Poisoning as a distinct risk category supported by confirmed research demonstrations [13]. The authzed breach timeline documents memory poisoning as a persistence mechanism in multiple documented incidents [12]. The OpenClaw security monitor community project explicitly lists memory poisoning detection as a required monitoring capability, indicating practitioner recognition of the threat [15].
Detection Methods. Regular integrity audits of persistent memory stores. Detection of instruction-like natural language patterns in stored memory content. Version tracking of memory contents with anomaly alerting on unexpected modifications. Semantic consistency checks comparing agent behavior against behavioral specifications independent of current memory state.
Mitigations. Treat persistent memory stores as security-sensitive infrastructure requiring access control, integrity protection, and audit logging equivalent to a credential store. Implement input filtering on all content written to persistent memory. Regularly purge and re-initialize memory from authoritative sources. Require human review before agent-generated content is written to persistent memory used by privileged agents.
Proposed CWE-AGNT-006: Delegation Chain Privilege Escalation
Weakness Description. A vulnerability in which an agent in an orchestration hierarchy acquires or exercises authority beyond its assigned privilege level by exploiting the delegation mechanism used to pass tasks and permissions from orchestrating agents to subordinate agents. The escalation may occur through forged delegation credentials, manipulation of the delegation chain itself, or exploitation of overly broad permission inheritance in the orchestration framework’s design.
Common Consequences. An agent operating with limited permissions achieves the effective privilege level of a higher-trust agent in the delegation hierarchy. A compromised subordinate agent can issue instructions that are honored by the orchestrator as if they originated from a trusted peer. Privilege escalation chains can traverse an entire multi-agent system if delegation boundaries are not enforced at each layer.
Applicable Platforms. Multi-agent orchestration frameworks with hierarchical permission models, automated workflow systems using agent-to-agent delegation, and any deployment where agents spawn sub-agents and transfer task authority.
Likelihood of Exploit. Medium. The OWASP ASI03: Identity and Privilege Abuse category documents exploitation of inherited or cached credentials and delegated permissions in confirmed incidents [13]. As agentic orchestration patterns mature and delegation chains grow longer, the attack surface for this weakness class increases.
Detection Methods. Audit logging of all delegation events with the original authority source, the delegated authority, and any permission expansion or contraction. Runtime enforcement of delegation boundaries that prevents sub-agents from exercising permissions not explicitly granted in the delegation chain. Anomaly detection on sub-agent actions that are inconsistent with the scope of their delegated task.
Mitigations. Implement explicit, non-inheritable permission grants: delegation should transfer only the specific permissions required for the delegated task, not a copy of the delegator’s full permission set. Require cryptographic attestation of delegation chain integrity at each handoff. Apply the principle of least privilege at every layer of the delegation hierarchy.
CSAI CNA Proposal
Rationale and Positioning
The CVE program’s current CNA ecosystem covers more than 380 organizations, including major software vendors, security research firms, bug bounty platforms, and sector-specific authorities such as CISA’s ICS CNA [16]. The ecosystem’s scope definitions are typically drawn around a vendor’s own products, a research firm’s disclosed findings, or a defined technology domain. No existing CNA holds a scope definition that encompasses agentic AI vulnerabilities as a class. The result is ad hoc assignment: agentic CVEs are filed by whichever CNA the discovering researcher has a relationship with, without consistent taxonomy, without cross-referencing to agent-specific weakness categories, and without the domain expertise required to distinguish a trivially patched input validation flaw from a structurally significant agentic architectural failure.
On March 23, 2026, the Cloud Security Alliance announced the launch of the CSAI Foundation as a 501(c)3 non-profit dedicated exclusively to AI security and safety, with a founding mission of securing the agentic control plane [7]. Among the six strategic programs in the CSAI portfolio is an AI Risk Observatory that explicitly includes operation of a CVE Numbering Authority scoped to agentic AI. This positioning is not incidental. CSAI has organizational continuity with the CSA AI Controls Matrix, MAESTRO, and the broader CSA research output on agentic risk. It has existing relationships with the research community producing agentic disclosures and the vendor community producing agentic products. It is, in structural terms, the appropriate anchor for a domain-specific CNA.
Scope Definition
The CSAI CNA’s scope should be bounded by three criteria applied conjunctively. First, the affected system must be an autonomous or semi-autonomous AI agent—a system that perceives its environment, makes decisions, and takes actions toward a goal without requiring human instruction for each individual action. This definition encompasses LLM-based agents, multi-agent orchestration frameworks, agentic runtimes, and the protocol and communication infrastructure designed specifically for agent-to-agent or agent-to-tool interaction (such as MCP and the emerging Agent-to-Agent protocol). Second, the vulnerability must arise from agent-specific properties—behavioral characteristics, goal representation, memory systems, delegation mechanisms, or trust boundary handling—that distinguish agentic failure modes from classical software vulnerabilities in the same codebase. A buffer overflow in an agent runtime’s memory allocator is a CWE-119 disclosure appropriately handled by the runtime vendor’s existing CNA. A memory poisoning vulnerability that corrupts an agent’s persistent goal state is a CSAI CNA matter. Third, the vulnerability must be publicly disclosable under the CVE program’s existing eligibility criteria.
This scope definition intentionally excludes foundational model vulnerabilities (jailbreaks, model extraction, adversarial examples) except where those vulnerabilities directly enable or are directly enabled by agentic architecture properties. It excludes classical software vulnerabilities in AI infrastructure that happen to be deployed in an agentic context. The boundary is drawn at the agent behavioral layer.
Operational Processes
The CSAI CNA’s intake process should accommodate the non-deterministic, behavior-dependent nature of many agentic vulnerability reports. Existing CNA intake processes are optimized for reports that include a specific version, a reproduction case, and a CVSS vector that can be calculated from the CVE program’s standard metric set. Agentic vulnerability reports will often include probabilistic reproduction cases (the vulnerability manifests in some percentage of attempts under specified conditions), behavioral descriptions rather than code references, and CVSS calculations that do not accurately reflect severity because the standard vector does not include an agent-specific exploitation complexity metric.
The CSAI CNA should establish a triage process that evaluates incoming reports against the scope criteria above, assesses behavioral reproducibility, assigns a preliminary CSAI-specific severity modifier, and coordinates with the discovering researcher on an appropriate disclosure timeline. Given the novelty of many agentic vulnerability classes, the CNA should maintain a technical advisory panel with expertise in agentic system architecture, LLM security research, and the specific frameworks (MCP, OpenClaw, and their successors) that constitute the current production agentic ecosystem. This panel would review disclosures that do not map cleanly to existing CVE and CWE categories, propose new weakness category assignments to the CWE program, and ensure that published CVEs include sufficient technical detail for practitioners to assess applicability to their deployments.
Publication standards should include, in addition to standard CVE fields, a mapping to the closest applicable CSAI proposed CWE extension category, the OWASP Agentic Security Initiative category, and the MAESTRO framework layer most directly implicated. This enrichment transforms each CVE into a structured data point in a growing ontology of agentic failure modes, enabling longitudinal pattern analysis that the CVE program’s current output does not support.
Integration with the Existing CNA Ecosystem
The CSAI CNA should operate as a domain CNA within the CVE program hierarchy, analogous to sector-specific CNAs such as CISA ICS or the Japanese JPCERT/CC. It would coordinate with the broader CVE program through the existing Root CNA structure. For vulnerabilities that span both agentic and non-agentic components—such as a CVE in mcp-remote where the OS command injection is classical but the attack surface exists because of the MCP protocol architecture—the CSAI CNA should establish a formal coordination protocol with the affected vendor’s own CNA to ensure consistent assignment and avoid duplication.
The CSAI CNA should also maintain a public-facing agentic vulnerability database that aggregates CVEs within its scope from all sources—not only disclosures it assigns directly—to provide practitioners with a consolidated view of the agentic CVE landscape. The authzed breach timeline, the VulnerableMCP project, and similar community-maintained resources demonstrate practitioner demand for this aggregation function [12]. A CSAI-operated, authoritative version with richer structured metadata would materially improve the industry’s ability to track and respond to the evolving agentic vulnerability landscape.
Staffing and Tooling Requirements
The CSAI CNA requires a minimum operational team of three full-time roles at launch: a CNA coordinator responsible for intake processing, CVE ID assignment, and program compliance; a technical lead with expertise in agentic system architecture and LLM security research; and a knowledge management specialist responsible for maintaining the public vulnerability database, CWE extension proposals, and framework cross-reference mappings. This team should be supported by a rotating technical advisory panel drawn from the CSA AI Safety Initiative community, providing domain expertise across the specific agentic frameworks, protocols, and platforms within scope.
Tooling requirements include a structured intake portal capable of accepting behavioral reproduction evidence in addition to traditional code-level reproduction steps, a CVSS extension calculator implementing the AI-specific modifiers being developed by the CSA AI Vulnerability Taxonomy working group, and an automated cross-referencing pipeline that maps each accepted CVE to its corresponding OWASP ASI category, MITRE ATLAS technique, AICM control domain, and MAESTRO layer. The metadata enrichment capability is what distinguishes the CSAI CNA from a generic intake operation and makes it a sustainable contribution to the agentic security research ecosystem.
Cross-Reference Mapping
The following table maps the six proposed CWE extension categories to the principal frameworks used by agentic AI security practitioners. OWASP ASI references the Top 10 for Agentic Applications published December 2025 [13]. MITRE ATLAS references the October 2025 update incorporating Zenity Labs agentic AI technique contributions [17]. AICM references the CSA AI Controls Matrix v1.0 [18]. MAESTRO references the CSA framework layers as defined in the February 2025 publication [19].
| Proposed CWE | OWASP ASI Category | MITRE ATLAS Technique | AICM Domain | MAESTRO Layer |
|---|---|---|---|---|
| CWE-AGNT-001: Goal Misalignment Through Instruction Injection | ASI01: Agent Goal Hijack | AML.T0051: LLM Prompt Injection / AI Agent Context Poisoning | AI Behavioral Controls | L3: Agent Frameworks |
| CWE-AGNT-002: Excessive Autonomy Without Authorization Boundary Enforcement | ASI02: Tool Misuse and Exploitation | AML.T0068: Modify AI Agent Configuration | AI Access Management | L4: Deployment and Infrastructure |
| CWE-AGNT-003: Trust Boundary Violation in Inter-Agent Communication | ASI07: Insecure Inter-Agent Communication | AML.T0069: Thread Injection | AI Identity and Trust | L3: Agent Frameworks |
| CWE-AGNT-004: Behavioral Drift Through Context Accumulation | ASI10: Rogue Agents | AML.T0053: LLM Jailbreak (extended: context accumulation variant) | AI Behavioral Monitoring | L5: Evaluation and Observability |
| CWE-AGNT-005: Memory Poisoning for Persistent Behavioral Manipulation | ASI06: Memory and Context Poisoning | AML.T0031: Erode ML Model Integrity / Memory Manipulation | AI Data Integrity | L2: Data Operations |
| CWE-AGNT-006: Delegation Chain Privilege Escalation | ASI03: Identity and Privilege Abuse | AML.T0070: Modify AI Agent Configuration (privilege sub-variant) | AI Privilege Management | L3: Agent Frameworks |
Security Analysis
The catalog assembled in this research note constitutes the first comprehensive inventory of confirmed agentic CVEs as a distinct vulnerability class, and it reveals several patterns that should inform both the CWE extension proposals and the CSAI CNA’s operational design.
The most consequential pattern is the speed of accumulation. The mcp-server-git trilogy (CVE-2025-68143, 68144, 68145) was disclosed in a single research report covering a single product’s official server implementation, authored by a government contractor and published with minimal public notice. CVE-2025-6514 in mcp-remote affected a package downloaded nearly half a million times and was discovered independently of the mcp-server-git research. The OpenClaw cluster produced four CVEs across two months from three different research organizations. This is not a single research team exhaustively analyzing one product; it is a distributed, concurrent discovery cycle indicating that the attack surface is large, that researcher attention is now focused on it, and that the rate of disclosure is likely to increase rather than decrease as production agentic deployments expand.
The second pattern is the consistent inadequacy of existing CWE mappings for the agentic-specific components of these vulnerabilities. CVE-2025-6514 is technically a CWE-78 (OS Command Injection), and the NVD correctly assigns that mapping [2]. But the vulnerability’s severity and novelty derive not from the command injection itself—that is a well-understood weakness—but from the fact that it is reachable through the MCP OAuth flow, which is trusted by LLM clients because it is part of a protocol explicitly designed for AI tool access. The agentic trust relationship is the amplifier that elevates a moderate code-level weakness to a CVSS 9.6 critical. The CWE entry for CWE-78 does not and cannot capture this amplification, because CWE does not have a weakness category describing agent-level trust boundary violations that elevate classical code weaknesses to critical severity in agentic contexts.
The third pattern concerns the cross-cutting nature of agentic failures. The OpenClaw CVEs span four distinct traditional weakness categories: authentication bypass (CVE-2026-25253), command injection (CVE-2026-24763), OS command injection (CVE-2026-25157), and SSRF (CVE-2026-26322) [3][4][5][6]. From a traditional vulnerability management perspective, these are four unrelated bugs requiring four separate patches. From an agentic security architecture perspective, they share a common root cause: the OpenClaw attack surface exists because the framework runs with broad host access, accepts external connections, and processes user-supplied content with system-level consequences. That architectural root cause has no CWE entry. The proposed CWE-AGNT-002 (Excessive Autonomy Without Authorization Boundary Enforcement) describes exactly this pattern, and its absence from the current taxonomy means that the common root cause across all four OpenClaw CVEs is invisible to any organization doing automated CWE-based root cause analysis.
Recommendations
Organizations deploying or evaluating agentic AI systems should take three immediate actions informed by the CVE catalog in this research note. First, audit all deployed MCP server and client implementations against the vulnerability catalog, prioritizing CVE-2025-6514 in any environment using mcp-remote and the Anthropic mcp-server-git trilogy in any environment using Git MCP integration. The mcp-server-git vulnerabilities are exploitable through prompt injection, meaning that an attacker who can influence content the agent reads—a public repository, a shared document, a web page—can achieve code execution without any direct system access [10]. Second, review OpenClaw deployments and confirm version 2026.2.14 or later is running, which addresses all four CVEs in the current catalog. Fifty-five percent of internet-exposed OpenClaw instances identified as vulnerable following the February 2026 disclosures were still unpatched two weeks after patches were available [3]. Third, begin mapping your organization’s agentic architecture to the proposed CWE extension categories as a gap analysis exercise, even before those categories achieve formal CWE program status. The exercise will surface architectural risks—excessive autonomy grants, unvalidated inter-agent trust, unprotected memory stores—that no automated scanner currently detects.
The CSA AI Safety Initiative encourages security researchers, agentic framework vendors, and AI security practitioners to provide comment on the proposed CWE extension categories and the CSAI CNA scope definition through the standard CSA working group process. The accuracy and completeness of the agentic vulnerability catalog, and the eventual quality of the formal CWE extensions submitted to MITRE, depend on the breadth of practitioner input during the proposal phase.
References
[1] “MCP Security 2026: 30 CVEs in 60 Days — What Went Wrong,” heyuan110.com, March 10, 2026. https://www.heyuan110.com/posts/ai/2026-03-10-mcp-security-2026/
[2] JFrog Security Research, “Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients,” JFrog Blog. https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/; NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-6514
[3] NCC Group / SOCRadar, “CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration,” SOCRadar Blog, February 2026. https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/; NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25253
[4] Endor Labs / CVEfeed, “CVE-2026-24763: Authenticated Command Injection in OpenClaw Docker Execution via PATH Environment Variable,” CVEfeed, 2026. https://cvefeed.io/vuln/detail/CVE-2026-24763; NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24763
[5] Miggo Research / CVEDetails, “CVE-2026-25157: OpenClaw SSH Local/Remote RCE,” cvedetails.com, 2026. https://www.cvedetails.com/cve/CVE-2026-25157; NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25157
[6] SentinelOne, “CVE-2026-26322: OpenClaw AI Assistant SSRF Vulnerability,” SentinelOne Vulnerability Database, 2026. https://www.sentinelone.com/vulnerability-database/cve-2026-26322/
[7] Cloud Security Alliance, “Cloud Security Alliance Launches CSAI Foundation With Mission of ‘Securing the Agentic Control Plane,’” CSA Press Release, March 23, 2026. https://cloudsecurityalliance.org/press-releases/2026/03/23/csa-securing-the-agentic-control-plane
[8] MITRE Corporation, “CVE Numbering Authorities,” cve.mitre.org. https://cve.mitre.org/cve/cna.html; CVE Numbering Authority (CNA) Operational Rules v4.1.0. https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.1.0.pdf
[9] Cyata / SecurityWeek, “Anthropic MCP Server Flaws Lead to Code Execution, Data Exposure,” SecurityWeek, January 2026. https://www.securityweek.com/anthropic-mcp-server-flaws-lead-to-code-execution-data-exposure/
[10] The Hacker News, “Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution,” January 2026. https://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.html
[11] CSO Online, “Three vulnerabilities in Anthropic Git MCP Server could let attackers tamper with LLMs,” January 2026. https://www.csoonline.com/article/4119571/three-vulnerabilities-found-in-anthropic-git-mcp-server-could-let-attackers-tamper-with-llms.html
[12] authzed, “A Timeline of Model Context Protocol (MCP) Security Breaches,” authzed Blog. https://authzed.com/blog/timeline-mcp-breaches
[13] OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications for 2026,” December 2025. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
[14] MITRE Corporation, “Common Weakness Enumeration (CWE),” cwe.mitre.org. https://cwe.mitre.org/
[15] Adrian Birzu, “openclaw-security-monitor: Proactive security monitoring for OpenClaw deployments,” GitHub, 2026. https://github.com/adibirzu/openclaw-security-monitor
[16] CISA, “CISA Root Common Vulnerability and Exposures Numbering Authority for Industrial Control Systems,” cisa.gov. https://www.cisa.gov/resources-tools/programs/cisa-root-common-vulnerability-and-exposures-numbering-authority-industrial-control-systems
[17] Zenity Labs / MITRE, “Zenity & MITRE ATLAS Expand AI Agent Attack Coverage,” Zenity Blog, October 2025. https://zenity.io/blog/current-events/zenity-labs-and-mitre-atlas-collaborate-to-advances-ai-agent-security-with-the-first-release-of
[18] Cloud Security Alliance, “AI Controls Matrix,” CSA Artifacts. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
[19] Cloud Security Alliance, “Agentic AI Threat Modeling Framework: MAESTRO,” CSA Blog, February 6, 2025. https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro