CVE-2026-27952 (GCVE-0-2026-27952)

Vulnerability from cvelistv5 – Published: 2026-02-26 01:38 – Updated: 2026-02-26 19:27
VLAI?
Title
Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)
Summary
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Agenta-AI agenta-api Affected: < 0.48.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27952",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T19:27:13.151791Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T19:27:29.328Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "agenta-api",
          "vendor": "Agenta-AI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.48.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta\u0027s custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python\u0027s introspection utilities \u2014 including `sys.modules` \u2014 thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T01:38:00.760Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq"
        }
      ],
      "source": {
        "advisory": "GHSA-pmgp-2m3v-34mq",
        "discovery": "UNKNOWN"
      },
      "title": "Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27952",
    "datePublished": "2026-02-26T01:38:00.760Z",
    "dateReserved": "2026-02-25T03:11:36.690Z",
    "dateUpdated": "2026-02-26T19:27:29.328Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-27952",
      "date": "2026-04-20",
      "epss": "0.00103",
      "percentile": "0.28107"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27952\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T02:16:22.940\",\"lastModified\":\"2026-03-02T18:43:36.277\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta\u0027s custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python\u0027s introspection utilities \u2014 including `sys.modules` \u2014 thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.\"},{\"lang\":\"es\",\"value\":\"Agenta es una plataforma LLMOps de c\u00f3digo abierto. En Agenta-API, antes de la versi\u00f3n 0.48.1, exist\u00eda una vulnerabilidad de escape de sandbox de Python en el evaluador de c\u00f3digo personalizado de Agenta. Agenta utilizaba RestrictedPython como mecanismo de sandboxing para el c\u00f3digo de evaluador proporcionado por el usuario, pero incluy\u00f3 incorrectamente el paquete \u0027numpy\u0027 en la lista blanca como seguro dentro del sandbox. Esto permit\u00eda a los usuarios autenticados eludir el sandbox y lograr la ejecuci\u00f3n de c\u00f3digo arbitrario en el servidor API. La ruta de escape fue a trav\u00e9s de \u0027numpy.ma.core.inspect\u0027, que expone las utilidades de introspecci\u00f3n de Python \u2014incluyendo \u0027sys.modules\u0027\u2014, proporcionando as\u00ed acceso a funcionalidades a nivel de sistema sin filtrar como \u0027os.system\u0027. Esta vulnerabilidad afecta a la plataforma autoalojada de Agenta (servidor API), no al SDK cuando se utiliza como una librer\u00eda Python independiente. El evaluador de c\u00f3digo personalizado se ejecuta en el lado del servidor dentro del proceso API. El problema se solucion\u00f3 en la v0.48.1 eliminando \u0027numpy\u0027 de la lista de permitidos del sandbox. En versiones posteriores (v0.60+), el sandbox de RestrictedPython se elimin\u00f3 por completo y se reemplaz\u00f3 por un modelo de ejecuci\u00f3n diferente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:agentatech:agenta:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.48.1\",\"matchCriteriaId\":\"97DA97AA-00E2-48A5-8EEE-2F922094E66F\"}]}]}],\"references\":[{\"url\":\"https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.