CVE-2026-27952
📋 TL;DR
This CVE describes a Python sandbox escape vulnerability in Agenta's API server that allows authenticated users to bypass RestrictedPython sandboxing via the whitelisted numpy package. Attackers can achieve arbitrary code execution on the API server by accessing system-level functionality through numpy.ma.core.inspect. This affects self-hosted Agenta platforms running vulnerable API server versions.
💻 Affected Systems
- Agenta self-hosted platform (API server)
📦 What is this software?
Agenta by Agentatech
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the API server allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems in the environment.
Likely Case
Authenticated attackers gaining remote code execution on the API server, potentially accessing LLM models, training data, and system resources.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though RCE would still be achieved.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented in the advisory with clear escape path details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.48.1
Vendor Advisory: https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq
Restart Required: Yes
Instructions:
1. Update Agenta-API to version 0.48.1 or later. 2. For versions 0.60+, the RestrictedPython sandbox has been completely removed. 3. Restart the Agenta API server after updating.
🔧 Temporary Workarounds
Remove numpy from sandbox allowlist
allManually modify the RestrictedPython configuration to remove numpy from the whitelisted packages
Edit the Agenta source code to remove 'numpy' from the allowed imports in the sandbox configuration
Disable custom code evaluator
allTemporarily disable the vulnerable feature if not required
Configure Agenta to disable custom evaluator functionality
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Agenta API server from sensitive systems
- Apply principle of least privilege to Agenta service account and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Agenta-API version: if version < 0.48.1 and numpy package is accessible in sandbox, system is vulnerableCheck Version:
Check Agenta configuration or run: pip show agenta | grep VersionVerify Fix Applied:
Verify Agenta-API version is 0.48.1 or higher, or test that numpy imports are blocked in the sandbox📡 Detection & Monitoring
Log Indicators:
- Unusual import attempts in sandbox logs
- Suspicious command execution from Agenta process
- Unexpected numpy.ma.core.inspect usage
Network Indicators:
- Outbound connections from Agenta API server to unexpected destinations
- Command and control traffic patterns
SIEM Query:
process_name:"agenta" AND (command_line:"numpy.ma.core.inspect" OR command_line:"os.system" OR command_line:"subprocess")