Description
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
Published: 2026-02-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Agenta’s custom code evaluator uses the RestrictedPython sandbox to protect user‑supplied code. Prior to v0.48.1 the platform erroneously marked the numpy library as safe, allowing the evaluator to import numpy.ma.core.inspect. This module exposes introspection functions that give direct access to the global sys.modules dictionary, which can be exploited to invoke system commands such as os.system. The flaw matches the code injection weakness identified by CWE‑94 and facilitates arbitrary code execution. Because the attacker can run the code inside the API process, the impact is full control over the machine that hosts the API server.

Affected Systems

The vulnerability affects the Agenta‑API component of the Agenta self‑hosted LLMOps platform. All releases before 0.48.1 are susceptible. The issue was addressed in v0.48.1 by removing numpy from the sandbox allowlist. Versions 0.60 and later replace the RestrictedPython sandbox entirely and are not affected.

Risk and Exploitability

The CVSS score of 8.8 highlights the high severity, and the EPSS of less than 1% indicates that the likelihood of exploitation is low at present. The flaw is not listed in the CISA KEV catalog. Nonetheless, the attack requires an authenticated user to submit code to the custom evaluator, meaning that compromised credentials or privileged access to the platform provide a direct path to arbitrary code execution. Due to the high impact and high privileges needed, sites should consider this a critical risk if they run an affected version and rely on the code evaluator feature.

Generated by OpenCVE AI on April 17, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Agenta‑API to version 0.48.1 or later to remove numpy from the sandbox allowlist.
  • If an immediate upgrade is not possible, modify the sandbox configuration or apply a patch to unallow numpy before the evaluator executes.
  • Disable or restrict the custom code evaluator for unauthenticated or non‑trusted users to prevent execution of arbitrary code.

Generated by OpenCVE AI on April 17, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Agentatech
Agentatech agenta
CPEs cpe:2.3:a:agentatech:agenta:*:*:*:*:*:*:*:*
Vendors & Products Agentatech
Agentatech agenta

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Agenta-ai
Agenta-ai agenta-api
Vendors & Products Agenta-ai
Agenta-ai agenta-api

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.
Title Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Agenta-ai Agenta-api
Agentatech Agenta
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:27:29.328Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27952

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:22.940

Modified: 2026-03-02T18:43:36.277

Link: CVE-2026-27952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')