CVE-2026-27952
Published: 26 February 2026
Description
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package…
more
as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
Mitigating Controls (NIST 800-53 r5)AI
Mandates software-enforced separation policies using mechanisms like properly configured RestrictedPython sandboxes to block escapes via numpy introspection to sys.modules and os.system.
Requires separation of user-supplied code evaluation functionality from system functionality, preventing bypass of sandbox restrictions to arbitrary server-side code execution.
Enforces confinement and validation of user-supplied code as mobile code within approved sandbox domains, mitigating exploits through incorrectly whitelisted unsafe packages like numpy.
Security SummaryAI
CVE-2026-27952 is a Python sandbox escape vulnerability in the Agenta-API component of Agenta, an open-source LLMOps platform, affecting versions prior to 0.48.1. The flaw arises from Agenta's use of RestrictedPython to sandbox user-supplied code in its custom code evaluator, where the numpy package was incorrectly whitelisted as safe. This enables bypass through numpy.ma.core.inspect, which exposes Python introspection utilities like sys.modules, granting access to unrestricted system functions such as os.system. The vulnerability impacts the self-hosted Agenta platform's API server process, where the evaluator executes server-side, but does not affect the Agenta SDK used as a standalone Python library.
Authenticated users with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation leads to arbitrary code execution on the API server, providing high confidentiality, integrity, and availability impacts, as scored at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-94 (Improper Control of Generation of Code).
The GitHub security advisory (GHSA-pmgp-2m3v-34mq) at https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq confirms the issue was fixed in Agenta-API version 0.48.1 by removing numpy from the RestrictedPython sandbox allowlist. Subsequent versions from 0.60 onward eliminate the RestrictedPython sandbox entirely, replacing it with a different execution model.
This vulnerability holds relevance for AI/ML practitioners deploying LLMOps platforms, as it targets custom code evaluation features common in such environments. No public evidence of real-world exploitation is noted in available details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation (T1190/T1210) of network-accessible API service by low-priv authenticated users for sandbox escape leading to arbitrary Python code execution (T1059.006) and privilege escalation (T1068) on the server.