Cyber Posture

CVE-2026-27952

HighPublic PoCRCE

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27952 is a high-severity Code Injection (CWE-94) vulnerability in Agentatech Agenta. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-2 (Separation of System and User Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-50 Software-enforced Separation and Policy Enforcement good match
prevent

Mandates software-enforced separation policies using mechanisms like properly configured RestrictedPython sandboxes to block escapes via numpy introspection to sys.modules and os.system.

SC-2 Separation of System and User Functionality good match
prevent

Requires separation of user-supplied code evaluation functionality from system functionality, preventing bypass of sandbox restrictions to arbitrary server-side code execution.

SC-18 Mobile Code good match
prevent

Enforces confinement and validation of user-supplied code as mobile code within approved sandbox domains, mitigating exploits through incorrectly whitelisted unsafe packages like numpy.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation (T1190/T1210) of network-accessible API service by low-priv authenticated users for sandbox escape leading to arbitrary Python code execution (T1059.006) and privilege escalation (T1068) on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package…

more

as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

Deeper analysisAI

CVE-2026-27952 is a Python sandbox escape vulnerability in the Agenta-API component of Agenta, an open-source LLMOps platform, affecting versions prior to 0.48.1. The flaw arises from Agenta's use of RestrictedPython to sandbox user-supplied code in its custom code evaluator, where the numpy package was incorrectly whitelisted as safe. This enables bypass through numpy.ma.core.inspect, which exposes Python introspection utilities like sys.modules, granting access to unrestricted system functions such as os.system. The vulnerability impacts the self-hosted Agenta platform's API server process, where the evaluator executes server-side, but does not affect the Agenta SDK used as a standalone Python library.

Authenticated users with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation leads to arbitrary code execution on the API server, providing high confidentiality, integrity, and availability impacts, as scored at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-94 (Improper Control of Generation of Code).

The GitHub security advisory (GHSA-pmgp-2m3v-34mq) at https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq confirms the issue was fixed in Agenta-API version 0.48.1 by removing numpy from the RestrictedPython sandbox allowlist. Subsequent versions from 0.60 onward eliminate the RestrictedPython sandbox entirely, replacing it with a different execution model.

This vulnerability holds relevance for AI/ML practitioners deploying LLMOps platforms, as it targets custom code evaluation features common in such environments. No public evidence of real-world exploitation is noted in available details.

Details

CWE(s)
CWE-94

Affected Products

agentatech
agenta
≤ 0.48.1

CVEs Like This One

CVE-2026-27961Same product: Agentatech Agenta
CVE-2025-42950Shared CWE-94
CVE-2025-42957Shared CWE-94
CVE-2026-26030Shared CWE-94
CVE-2026-26056Shared CWE-94
CVE-2024-56373Shared CWE-94
CVE-2026-31857Shared CWE-94
CVE-2024-57609Shared CWE-94
CVE-2026-44334Shared CWE-94
CVE-2026-25817Shared CWE-94

References