Description
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32.
Published: 2026-02-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Langroid’s TableChatAgent allows evaluation of user‑supplied expressions via pandas_eval. A bypass in the framework’s WAF removes protection originally intended for CVE‑2025‑46724, because _literal_ok incorrectly returns False rather than throwing an UnsafeCommandError. The code also exposes dangerous dunder attributes such as __init__, __globals__, and __builtins__, letting an attacker chain whitelisted DataFrame methods to access the eval builtin. This flaw enables execution of arbitrary code, making it a classic code injection problem (CWE‑94).

Affected Systems

All installations of the Langroid framework built before version 0.59.32 are affected. This includes the langroid product from the langroid vendor. Systems using earlier releases should check their installed version and consider an upgrade.

Risk and Exploitability

The vulnerability carries a CVSS 9.4 score, indicating a high severity of Remote Code Execution. EPSS is less than 1 %, suggesting that exploitation is unlikely to be widespread, and the issue is not yet listed in the CISA KEV catalog. An attacker would need to control input to the TableChatAgent component; once triggered, the bypass allows arbitrary code to run with the privileges of the process hosting the agent. Given the high impact and the low current probability of exploitation, organizations should treat this as a critical patchability risk.

Generated by OpenCVE AI on April 17, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langroid to version 0.59.32 or later to incorporate the WAF fix.
  • If an immediate upgrade is not possible, disable the TableChatAgent functionality or remove any code paths that call pandas_eval for untrusted input.
  • Implement additional input validation to ensure that any expressions passed to pandas_eval are strictly literal and that no dunder attributes are accessible, mitigating the risk until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x34r-63hx-w57f Langroid has WAF Bypass Leading to RCE in TableChatAgent
History

Fri, 20 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:langroid:langroid:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Langroid
Langroid langroid
Vendors & Products Langroid
Langroid langroid

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32.
Title Langroid has WAF Bypass Leading to RCE in TableChatAgent
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Langroid Langroid
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T20:40:26.952Z

Reserved: 2026-02-02T16:31:35.821Z

Link: CVE-2026-25481

cve-icon Vulnrichment

Updated: 2026-02-04T20:40:20.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:07.447

Modified: 2026-02-20T21:20:25.470

Link: CVE-2026-25481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses