CVE-2026-5584
Remote Code Injection in Fosowl agenticSeek PyInterpreter.execute
Publication date: 2026-04-05
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fosowl | agenticseek | 0.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5584 is a critical remote code execution vulnerability in the AgenticSeek project (version 0.1.0). It affects multiple interpreter components that execute large language model (LLM)-generated code without proper sandboxing or restrictions. Specifically, the Python interpreter uses Python's exec() function with full access to system modules, allowing arbitrary code execution. The Bash interpreter executes shell commands unsafely, enabling command injection. Other interpreters compile and run code without isolation, allowing full privilege code execution.
The vulnerability arises because there are no execution timeouts, resource limits, or sandboxing, and the safety mechanisms intended to block dangerous commands are disabled by default and incomplete. Attackers can send unauthenticated HTTP POST requests that trigger execution of arbitrary code on the host system.
How can this vulnerability impact me? :
This vulnerability can lead to complete system compromise by allowing attackers to execute arbitrary commands with the privileges of the running process. It enables theft of sensitive data such as API keys and credentials by reading files like .env and exfiltrating their contents.
- Arbitrary command execution on the host system.
- Theft and exfiltration of sensitive data.
- Lateral movement through reverse shells or SSH connections.
- Persistence mechanisms such as backdoors, cron jobs, or user creation.
- Denial of service via resource exhaustion due to lack of execution limits.
- Supply chain risks from indirect prompt injection triggering code execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated HTTP POST requests to the /query endpoint that contain JSON payloads triggering LLM-generated code execution.
Detection commands could include inspecting web server logs for suspicious POST requests to /query, especially those containing unusual or potentially malicious code snippets.
Additionally, network monitoring tools can be used to detect unusual outbound connections or command execution patterns indicative of exploitation attempts.
Specific commands might include:
- Using grep to find suspicious POST requests in logs: grep -i 'POST /query' /var/log/nginx/access.log | grep -i 'exec' or other suspicious keywords
- Monitoring running processes for unexpected commands or shells spawned by the Fosowl agenticSeek process.
- Using network monitoring tools like tcpdump or Wireshark to capture and analyze traffic to the /query endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable or restrict access to the /query endpoint to prevent unauthenticated remote code execution.
- Enable the safe_mode feature in the software to activate the safety blocklist, although it is incomplete and should not be solely relied upon.
- Replace the use of exec() with subprocess-based execution that runs code in isolated processes with restricted permissions and empty environments.
- Avoid using shell=True with untrusted input; instead, use subprocess.run() with argument lists.
- Implement sandboxing for all code execution using Docker containers with network disabled, read-only filesystems, seccomp profiles, and resource limits.
- Fix the string concatenation bug in the blocklist and replace the blocklist with an allowlist permitting only known-safe commands.
- Require explicit user confirmation before executing any generated code.
- Restrict the globals passed to exec() by removing access to os, sys, and full __builtins__.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on the host system, leading to complete system compromise.
Such a compromise can result in theft of sensitive data including API keys and credentials, data exfiltration by reading any accessible file, and persistence mechanisms that could maintain unauthorized access.
These impacts can lead to violations of data protection regulations and standards such as GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could cause non-compliance with these regulations due to potential data breaches, unauthorized data access, and failure to maintain adequate security controls.