CVE-2026-54769
Received Received - Intake

Sandbox Escape via RCE in Langroid Framework

Vulnerability report for CVE-2026-54769, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` capabilities. When these agents evaluate LLM-generated tool messages with `full_eval=True`, they attempt to sandbox the execution by explicitly setting `locals` to an empty dictionary `{}` inside Python's `eval()` function. However, this relies on an incomplete understanding of Python's execution model. Because `__builtins__` is not explicitly scrubbed from the `globals` dictionary mapping, Python implicitly injects all built-ins during execution, granting full access to functions like `__import__('os').system()`. Since `TableChatAgent.pandas_eval()` executes external LLM outputs natively, this bypass permits any attacker providing prompt payload to achieve unauthenticated RCE on the host system. Version 0.65.2 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
langroid langroid to 0.65.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Langroid versions prior to 0.65.2 and involves a critical sandbox escape that leads to Remote Code Execution (RCE). The issue arises in the TableChatAgent and VectorStore components when they evaluate large language model (LLM)-generated tool messages with the parameter full_eval=True. The code attempts to sandbox execution by setting the locals dictionary to empty in Python's eval() function, but it fails to remove __builtins__ from the globals dictionary. Because of this, Python implicitly injects all built-in functions, allowing attackers to execute arbitrary system commands by crafting malicious prompts. This means an attacker can bypass the sandbox and run unauthorized code on the host system.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated remote attackers to execute arbitrary code on the host system running vulnerable Langroid versions. This can lead to full compromise of the affected system, including unauthorized access, data theft, data modification, service disruption, or further attacks within the network. The vulnerability has a critical CVSS score of 10.0, indicating it is easy to exploit remotely with no privileges required and results in complete loss of confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by attempting to exploit the sandbox escape in a controlled environment. A proof-of-concept involves sending a crafted prompt to a vulnerable Langroid installation that triggers execution of arbitrary system commands via the vulnerable eval() usage.

One detection method is to check if the system creates evidence files such as "/tmp/rce_success_table" after sending a crafted prompt that tries to execute a command like __import__('os').system('touch /tmp/rce_success_table').

You can also inspect the Langroid version installed on your system. Versions 0.65.1 and earlier are vulnerable, while version 0.65.2 and later include the patch.

  • Send a crafted prompt to the Langroid agent that attempts to execute: __import__('os').system('touch /tmp/rce_success_table')
  • Check for the presence of the file /tmp/rce_success_table on the host system after the test.
  • Verify the installed Langroid version with a command or by inspecting the package metadata.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade Langroid to version 0.65.2 or later, where the vulnerability has been patched.

Avoid using the vulnerable features TableChatAgent and VectorStore with full_eval=True until the patch is applied.

If upgrading is not immediately possible, restrict network access to the vulnerable Langroid service to prevent unauthenticated remote exploitation.

Compliance Impact

The vulnerability allows unauthenticated remote code execution (RCE) on the host system, which can lead to a complete compromise of confidentiality, integrity, and availability of the affected system.

Such a critical security flaw can result in unauthorized access to sensitive data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, if exploited, this vulnerability could cause non-compliance with these regulations due to data breaches or unauthorized system control.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart