{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27952", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.690Z", "datePublished": "2026-02-26T01:38:00.760Z", "dateUpdated": "2026-02-26T19:27:29.328Z"}, "containers": {"cna": {"title": "Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq"}], "affected": [{"vendor": "Agenta-AI", "product": "agenta-api", "versions": [{"version": "< 0.48.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:38:00.760Z"}, "descriptions": [{"lang": "en", "value": "Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities \u2014 including `sys.modules` \u2014 thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model."}], "source": {"advisory": "GHSA-pmgp-2m3v-34mq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:27:13.151791Z", "id": "CVE-2026-27952", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:27:29.328Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:agentatech:agenta:*:*:*:*:*:*:*:*", "matchCriteriaId": "97DA97AA-00E2-48A5-8EEE-2F922094E66F", "versionEndExcluding": "0.48.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities \u2014 including `sys.modules` \u2014 thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model."}], "id": "CVE-2026-27952", "lastModified": "2026-03-02T18:43:36.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T02:16:22.940", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.48.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "agenta-api", "source": "cna", "vendor": "Agenta-AI"}, "product": "agenta-api", "vendor": "agenta-ai"}], "analysis": {"en": {"generated_at": "2026-04-17T14:31:30.769567+00:00", "value": {"mitigation_remediation": ["Upgrade Agenta\u2011API to version 0.48.1 or later to remove numpy from the sandbox allowlist.", "If an immediate upgrade is not possible, modify the sandbox configuration or apply a patch to unallow numpy before the evaluator executes.", "Disable or restrict the custom code evaluator for unauthenticated or non\u2011trusted users to prevent execution of arbitrary code."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Agenta\u2011API component of the Agenta self\u2011hosted LLMOps platform. All releases before 0.48.1 are susceptible. The issue was addressed in v0.48.1 by removing numpy from the sandbox allowlist. Versions 0.60 and later replace the RestrictedPython sandbox entirely and are not affected.", "description_and_impact": "Agenta\u2019s custom code evaluator uses the RestrictedPython sandbox to protect user\u2011supplied code. Prior to v0.48.1 the platform erroneously marked the numpy library as safe, allowing the evaluator to import numpy.ma.core.inspect. This module exposes introspection functions that give direct access to the global sys.modules dictionary, which can be exploited to invoke system commands such as os.system. The flaw matches the code injection weakness identified by CWE\u201194 and facilitates arbitrary code execution. Because the attacker can run the code inside the API process, the impact is full control over the machine that hosts the API server.", "risk_and_exploitability": "The CVSS score of 8.8 highlights the high severity, and the EPSS of less than 1% indicates that the likelihood of exploitation is low at present. The flaw is not listed in the CISA KEV catalog. Nonetheless, the attack requires an authenticated user to submit code to the custom evaluator, meaning that compromised credentials or privileged access to the platform provide a direct path to arbitrary code execution. Due to the high impact and high privileges needed, sites should consider this a critical risk if they run an affected version and rely on the code evaluator feature."}}}}, "created": "2026-02-26T13:09:58.140635+00:00", "updated": "2026-04-17T14:45:21.020285+00:00", "vendors": ["agenta-ai", "agenta-ai$PRODUCT$agenta-api"]}