Vulnerability Description
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Agentatech | Agenta | < 0.48.1 |
Related Weaknesses (CWE)
References
- https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mqExploitVendor Advisory
FAQ
What is CVE-2026-27952?
CVE-2026-27952 is a vulnerability with a CVSS score of 8.8 (HIGH). Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sand...
How severe is CVE-2026-27952?
CVE-2026-27952 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27952?
Check the references section above for vendor advisories and patch information. Affected products include: Agentatech Agenta.