PYSEC-2026-6

Vulnerability from pysec - Published: 2026-02-26 02:16 - Updated: 2026-05-20 09:18
VLAI
Details

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the numpy package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through numpy.ma.core.inspect, which exposes Python's introspection utilities — including sys.modules — thereby providing access to unfiltered system-level functionality like os.system. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing numpy from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

Severity
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impacted products
Name purl
agenta pkg:pypi/agenta
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "agenta",
        "purl": "pkg:pypi/agenta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.48.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.1",
        "0.1.10",
        "0.1.11",
        "0.1.12",
        "0.1.13",
        "0.1.14",
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.1.2",
        "0.1.21",
        "0.1.22",
        "0.1.23",
        "0.1.24",
        "0.1.25",
        "0.1.26",
        "0.1.27",
        "0.1.28",
        "0.1.29",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.10.3",
        "0.12.0",
        "0.12.1",
        "0.12.2",
        "0.12.3",
        "0.12.4",
        "0.12.5",
        "0.12.6",
        "0.12.7",
        "0.13.0",
        "0.13.0a0",
        "0.13.0a1",
        "0.13.0a2",
        "0.13.0a3",
        "0.13.1",
        "0.13.2",
        "0.13.3",
        "0.13.4",
        "0.13.5",
        "0.13.6",
        "0.13.7",
        "0.13.7a0",
        "0.13.8",
        "0.14.0",
        "0.14.1",
        "0.14.10",
        "0.14.11",
        "0.14.12",
        "0.14.12a0",
        "0.14.12a1",
        "0.14.12a2",
        "0.14.13",
        "0.14.14",
        "0.14.14a0",
        "0.14.14a1",
        "0.14.1a0",
        "0.14.1a1",
        "0.14.2",
        "0.14.3",
        "0.14.4",
        "0.14.5",
        "0.14.6",
        "0.14.6a0",
        "0.14.7",
        "0.14.7a0",
        "0.14.7a1",
        "0.14.8",
        "0.14.8a0",
        "0.14.9",
        "0.15.0",
        "0.15.0a0",
        "0.15.0a1",
        "0.15.0a2",
        "0.15.0a3",
        "0.15.0a4",
        "0.16.0",
        "0.17.0",
        "0.17.1",
        "0.17.2",
        "0.17.3",
        "0.17.4",
        "0.17.4a0",
        "0.17.5",
        "0.17.6a0",
        "0.17.6a1",
        "0.18.0",
        "0.19.0",
        "0.19.1",
        "0.19.1a0",
        "0.19.2",
        "0.19.3",
        "0.19.4",
        "0.19.5",
        "0.19.6",
        "0.19.6a0",
        "0.19.7",
        "0.19.8",
        "0.19.8a0",
        "0.19.9",
        "0.2.0",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.20.0a0",
        "0.20.0a1",
        "0.20.0a10",
        "0.20.0a11",
        "0.20.0a12",
        "0.20.0a13",
        "0.20.0a3",
        "0.20.0a4",
        "0.20.0a6",
        "0.20.0a7",
        "0.20.0a8",
        "0.20.0a9",
        "0.21.0a1",
        "0.21.0b1",
        "0.22.0",
        "0.23.0",
        "0.23.0a1",
        "0.24.0",
        "0.24.1",
        "0.24.1a0",
        "0.24.2",
        "0.24.2a1",
        "0.24.2a2",
        "0.24.3",
        "0.24.3a1",
        "0.24.4",
        "0.25.0",
        "0.25.1",
        "0.25.2",
        "0.25.3",
        "0.25.3a1",
        "0.25.4",
        "0.25.4a1",
        "0.25.4a2",
        "0.25.4a3",
        "0.25.4a4",
        "0.26.0",
        "0.26.0a0",
        "0.27.0",
        "0.27.0a0",
        "0.27.0a1",
        "0.27.0a12",
        "0.27.0a13",
        "0.27.0a15",
        "0.27.0a2",
        "0.27.0a5",
        "0.27.0a6",
        "0.27.0a7",
        "0.27.0a8",
        "0.27.0a9",
        "0.27.1",
        "0.27.2",
        "0.27.2a2",
        "0.27.3",
        "0.27.4a0",
        "0.27.4a1",
        "0.27.5",
        "0.27.5a1",
        "0.27.6",
        "0.27.6a0",
        "0.27.6a1",
        "0.27.6a2",
        "0.27.6a3",
        "0.27.7",
        "0.27.7a0",
        "0.27.7a1",
        "0.27.7a2",
        "0.27.8a2",
        "0.28.0",
        "0.28.0a1",
        "0.28.0a2",
        "0.28.0a3",
        "0.28.0a4",
        "0.28.1",
        "0.28.2a1",
        "0.28.2a2",
        "0.29.0",
        "0.3.0",
        "0.3.1",
        "0.30.0",
        "0.30.0a1",
        "0.30.0a2",
        "0.30.0a3",
        "0.30.0a4",
        "0.30.0a6",
        "0.31.0",
        "0.31.0a1",
        "0.32.0",
        "0.32.0a1",
        "0.32.0a2",
        "0.33.0",
        "0.33.0a1",
        "0.33.0a3",
        "0.33.1",
        "0.33.2",
        "0.33.3",
        "0.33.4",
        "0.33.5",
        "0.33.6",
        "0.33.7",
        "0.33.8",
        "0.34.1",
        "0.34.3",
        "0.34.4",
        "0.34.5",
        "0.34.6",
        "0.34.7",
        "0.35.0",
        "0.35.1",
        "0.35.2",
        "0.36.0",
        "0.36.1",
        "0.36.2",
        "0.36.3",
        "0.36.4",
        "0.36.5",
        "0.37.0",
        "0.37.1",
        "0.37.2",
        "0.37.3",
        "0.38.0",
        "0.38.1",
        "0.38.2",
        "0.39.0",
        "0.39.1",
        "0.39.2",
        "0.39.3",
        "0.39.4",
        "0.4.0",
        "0.4.1",
        "0.40.0",
        "0.41.0",
        "0.41.1",
        "0.42.0",
        "0.42.1",
        "0.42.2",
        "0.43.0",
        "0.43.1",
        "0.44.0",
        "0.44.3",
        "0.44.4",
        "0.45.0",
        "0.45.1",
        "0.45.2",
        "0.45.3",
        "0.45.4",
        "0.46.0",
        "0.46.1",
        "0.47.0",
        "0.48.0",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.5.5",
        "0.5.6",
        "0.5.7",
        "0.5.8",
        "0.6.0",
        "0.6.1",
        "0.6.10",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.6.5",
        "0.6.6",
        "0.6.7",
        "0.6.8",
        "0.6.9",
        "0.7.0",
        "0.7.1",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.9.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27952",
    "GHSA-pmgp-2m3v-34mq"
  ],
  "details": "Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta\u0027s custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python\u0027s introspection utilities \u2014 including `sys.modules` \u2014 thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.",
  "id": "PYSEC-2026-6",
  "modified": "2026-05-20T09:18:50.937531Z",
  "published": "2026-02-26T02:16:22.940Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.