CVE-2026-54769 in Langroid
Summary
by MITRE • 07/10/2026
Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` capabilities. When these agents evaluate LLM-generated tool messages with `full_eval=True`, they attempt to sandbox the execution by explicitly setting `locals` to an empty dictionary `{}` inside Python's `eval()` function. However, this relies on an incomplete understanding of Python's execution model. Because `__builtins__` is not explicitly scrubbed from the `globals` dictionary mapping, Python implicitly injects all built-ins during execution, granting full access to functions like `__import__('os').system()`. Since `TableChatAgent.pandas_eval()` executes external LLM outputs natively, this bypass permits any attacker providing prompt payload to achieve unauthenticated RCE on the host system. Version 0.65.2 patches the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The Langroid framework presents a critical security vulnerability in its TableChatAgent and VectorStore components that stems from a fundamental flaw in how it handles sandboxed code execution. This vulnerability manifests when these agents process LLM-generated tool messages with the full_eval=True parameter, creating an exploitable path for remote code execution attacks. The security issue resides in the framework's attempt to implement sandboxing through the eval() function while failing to properly isolate the execution environment. The developers' approach of setting locals to an empty dictionary {} during eval() execution demonstrates a misunderstanding of Python's execution model and security boundaries.
The technical flaw exploits Python's implicit injection of built-in functions into the evaluation context when globals are not properly sanitized. Even though the locals dictionary is cleared, the absence of explicit scrubbing for _builtins_ within the globals mapping allows Python to automatically inject all built-in functions during execution. This means that attackers can access powerful system-level functions such as _import_('os').system() through the implicit injection mechanism, completely bypassing the intended sandbox restrictions. The vulnerability specifically affects TableChatAgent.pandas_eval() method which natively executes external LLM outputs without proper security boundaries, making it a prime target for exploitation.
The operational impact of this vulnerability is severe and far-reaching, as it enables unauthenticated remote code execution on the host system. An attacker who can influence prompt payloads sent to these agents can execute arbitrary commands with the privileges of the running process, potentially leading to complete system compromise. This represents a critical sandbox escape condition that transforms a legitimate framework feature into a dangerous attack vector. The vulnerability affects all versions prior to 0.65.2 and demonstrates how seemingly benign security measures can create catastrophic weaknesses when not properly implemented.
The flaw aligns with CWE-749 (Expose of Functionality to Unintended Actors) and CWE-94 (Improper Control of Generation of Code) while mapping to ATT&CK techniques including T1059.001 (Command and Scripting Interpreter: Python) and T1566 (Phishing). The sandbox escape mechanism violates fundamental security principles by failing to properly isolate the execution environment and demonstrates a classic example of incomplete input sanitization in interpreted environments. Organizations using Langroid versions before 0.65.2 should immediately implement mitigation strategies including patching to the latest version, implementing network segmentation, and monitoring for suspicious LLM-generated content that might attempt to exploit this vulnerability.
This vulnerability serves as an important lesson in secure coding practices for interpreted languages and highlights the necessity of understanding language-specific security implications when implementing sandboxing mechanisms. The issue demonstrates how the assumption that clearing locals is sufficient for security isolation can lead to critical oversights in Python's execution model, particularly around built-in function availability during eval() operations. Proper implementation requires explicit removal or restriction of _builtins_ from globals as well as consideration of alternative approaches to dynamic code evaluation that minimize attack surface exposure while maintaining functionality.