CVE-2026-27952
Received Received - Intake
Sandbox Escape in Agenta-API Allows Authenticated Remote Code Execution

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities β€” including `sys.modules` β€” thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27952
EUVD
EUVD-2026-8814
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agentatech agenta to 0.48.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27952 is a high-severity Python sandbox escape vulnerability in the Agenta self-hosted platform's API server. The platform used RestrictedPython to sandbox user-supplied evaluator code but mistakenly allowed the numpy package as safe within the sandbox. This misconfiguration enabled authenticated users to bypass sandbox restrictions and execute arbitrary code on the API server."}, {'type': 'paragraph', 'content': 'The escape was achieved through the numpy.ma.core.inspect module, which exposes Python introspection utilities including sys.modules. Attackers could use sys.modules to access unfiltered system-level functions like os.system, allowing them to run arbitrary shell commands remotely.'}, {'type': 'paragraph', 'content': 'This vulnerability affects only the API server environment and not the standalone SDK. It was fixed in version 0.48.1 by removing numpy from the sandbox allowlist, and in later versions (0.60+) the sandboxing mechanism was replaced entirely.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows any authenticated user, even with low privileges, to execute arbitrary code remotely on the API server. This leads to full remote code execution capabilities.'}, {'type': 'paragraph', 'content': "An attacker could gain complete access to the server's filesystem, environment variables, and secrets within the container, compromising confidentiality, integrity, and availability of the system."}, {'type': 'paragraph', 'content': 'The CVSS v3.1 base score is 8.8 (High), indicating a severe impact with low attack complexity and no user interaction required.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Agenta API server is running a vulnerable version prior to 0.48.1 where numpy is whitelisted in the RestrictedPython sandbox. A proof of concept involves executing commands through the sandbox escape by importing numpy and accessing os.system via numpy.ma.core.inspect.sys.modules.'}, {'type': 'paragraph', 'content': 'A suggested command to test for exploitation is to attempt running a command like "whoami" through the vulnerable sandbox by importing numpy and accessing os.system, for example, using a crafted evaluator code snippet that calls os.system("whoami").'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Agenta API server to version 0.48.1 or later, where numpy has been removed from the sandbox allowlist.

For longer term mitigation, upgrading to version 0.60 or later is recommended, as these versions remove the RestrictedPython sandbox entirely and replace it with a different execution model that prevents similar sandbox escape vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart