CVE-2026-27952
Sandbox Escape in Agenta-API Allows Authenticated Remote Code Execution
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agentatech | agenta | to 0.48.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27952 is a high-severity Python sandbox escape vulnerability in the Agenta self-hosted platform's API server. The platform used RestrictedPython to sandbox user-supplied evaluator code but mistakenly allowed the numpy package as safe within the sandbox. This misconfiguration enabled authenticated users to bypass sandbox restrictions and execute arbitrary code on the API server."}, {'type': 'paragraph', 'content': 'The escape was achieved through the numpy.ma.core.inspect module, which exposes Python introspection utilities including sys.modules. Attackers could use sys.modules to access unfiltered system-level functions like os.system, allowing them to run arbitrary shell commands remotely.'}, {'type': 'paragraph', 'content': 'This vulnerability affects only the API server environment and not the standalone SDK. It was fixed in version 0.48.1 by removing numpy from the sandbox allowlist, and in later versions (0.60+) the sandboxing mechanism was replaced entirely.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows any authenticated user, even with low privileges, to execute arbitrary code remotely on the API server. This leads to full remote code execution capabilities.'}, {'type': 'paragraph', 'content': "An attacker could gain complete access to the server's filesystem, environment variables, and secrets within the container, compromising confidentiality, integrity, and availability of the system."}, {'type': 'paragraph', 'content': 'The CVSS v3.1 base score is 8.8 (High), indicating a severe impact with low attack complexity and no user interaction required.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Agenta API server is running a vulnerable version prior to 0.48.1 where numpy is whitelisted in the RestrictedPython sandbox. A proof of concept involves executing commands through the sandbox escape by importing numpy and accessing os.system via numpy.ma.core.inspect.sys.modules.'}, {'type': 'paragraph', 'content': 'A suggested command to test for exploitation is to attempt running a command like "whoami" through the vulnerable sandbox by importing numpy and accessing os.system, for example, using a crafted evaluator code snippet that calls os.system("whoami").'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Agenta API server to version 0.48.1 or later, where numpy has been removed from the sandbox allowlist.
For longer term mitigation, upgrading to version 0.60 or later is recommended, as these versions remove the RestrictedPython sandbox entirely and replace it with a different execution model that prevents similar sandbox escape vulnerabilities.