Cyber Resilience

CVE-2026-27952

HighPublic PoCRCE

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 38.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27952 is a high-severity Code Injection (CWE-94) vulnerability in Agentatech Agenta. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-2 (Separation of System and User Functionality).

Deeper analysis

CVE-2026-27952 is a Python sandbox escape vulnerability in the Agenta-API component of Agenta, an open-source LLMOps platform, affecting versions prior to 0.48.1. The flaw arises from Agenta's use of RestrictedPython to sandbox user-supplied code in its custom code evaluator, where the numpy package was incorrectly whitelisted as safe. This enables bypass through numpy.ma.core.inspect, which exposes Python introspection utilities like sys.modules, granting access to unrestricted system functions such as os.system. The vulnerability impacts the self-hosted Agenta platform's API server process, where the evaluator executes server-side, but does not affect the Agenta SDK used as a standalone Python library.

Authenticated users with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation leads to arbitrary code execution on the API server, providing high confidentiality, integrity, and availability impacts, as scored at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-94 (Improper Control of Generation of Code).

The GitHub security advisory (GHSA-pmgp-2m3v-34mq) at https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq confirms the issue was fixed in Agenta-API version 0.48.1 by removing numpy from the RestrictedPython sandbox allowlist. Subsequent versions from 0.60 onward eliminate the RestrictedPython sandbox entirely, replacing it with a different execution model.

This vulnerability holds relevance for AI/ML practitioners deploying LLMOps platforms, as it targets custom code evaluation features common in such environments. No public evidence of real-world exploitation is noted in available details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package…

more

as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: numpy

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Vulnerability enables remote exploitation (T1190/T1210) of network-accessible API service by low-priv authenticated users for sandbox escape leading to arbitrary Python code execution (T1059.006) and privilege escalation (T1068) on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27961Same product: Agentatech Agenta
CVE-2024-10252Shared CWE-94
CVE-2026-33057Shared CWE-94
CVE-2025-0185Shared CWE-94
CVE-2026-33873Shared CWE-94
CVE-2026-27966Shared CWE-94
CVE-2026-41138Shared CWE-94
CVE-2025-42957Shared CWE-94
CVE-2025-42950Shared CWE-94
CVE-2024-55241Shared CWE-94

Affected Assets

agentatech
agenta
≤ 0.48.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates software-enforced separation policies using mechanisms like properly configured RestrictedPython sandboxes to block escapes via numpy introspection to sys.modules and os.system.

prevent

Requires separation of user-supplied code evaluation functionality from system functionality, preventing bypass of sandbox restrictions to arbitrary server-side code execution.

prevent

Enforces confinement and validation of user-supplied code as mobile code within approved sandbox domains, mitigating exploits through incorrectly whitelisted unsafe packages like numpy.

References