CVE-2026-27952 in agenta-api
Summary
by MITRE • 02/26/2026
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability CVE-2026-27952 represents a critical sandbox escape flaw in Agenta-API versions prior to 0.48.1, exposing the open-source LLMOps platform to arbitrary code execution risks. This issue stems from the platform's use of RestrictedPython as a code sandboxing mechanism for user-supplied evaluator code, which was designed to prevent unauthorized access to system resources. However, the implementation contained a significant oversight where the numpy package was incorrectly whitelisted as safe within the restricted environment, creating a pathway for authenticated attackers to bypass security controls.
The technical exploitation of this vulnerability occurs through a specific code path involving numpy.ma.core.inspect module which provides access to Python's introspection utilities. This module exposes sys.modules and other system-level functionality that bypasses the sandbox restrictions, allowing attackers to execute arbitrary system commands through os.system calls. The vulnerability specifically affects the Agenta self-hosted platform's API server where custom code evaluators run server-side within the API process, making it particularly dangerous as it operates with the privileges of the API server itself. The flaw demonstrates a classic sandbox escape pattern where a seemingly benign package inclusion creates a backdoor for privilege escalation.
The operational impact of this vulnerability is severe for organizations using the Agenta platform, as authenticated users can achieve complete system compromise without requiring additional privileges. This allows attackers to execute malicious code, access sensitive data, modify system configurations, or establish persistence mechanisms within the API server environment. The vulnerability affects only the API server component and not the SDK when used as a standalone library, but this distinction does not mitigate the risk for self-hosted deployments where the API server is exposed to authenticated users. Organizations relying on Agenta for LLM operations and code evaluation face potential data breaches and system compromise through this vector.
The vulnerability is classified under CWE-284 Access Control Bypass and aligns with ATT&CK techniques such as T1059 Command and Scripting Interpreter and T1566 Impair Defenses, as it allows attackers to execute arbitrary commands and potentially disable security measures. The fix implemented in version 0.48.1 addresses the root cause by removing numpy from the sandbox allowlist, effectively closing the escape path. Subsequent versions (0.60+) eliminated RestrictedPython entirely and adopted a different execution model, representing a more robust architectural approach to code sandboxing. Organizations should immediately upgrade to version 0.48.1 or later and implement monitoring for unauthorized code execution attempts. The vulnerability highlights the importance of careful package whitelisting in sandboxed environments and demonstrates how even trusted dependencies can introduce security risks when improperly configured within restricted execution contexts.