Agenta Sandbox Escape via NumPy Introspection
CVE ID: CVE-2026-27952
Affected Product: Agenta API (self-hosted deployments)
Affected Versions: All versions prior to 0.48.1
Severity: High
CVSS v3.1 Base Score: 8.8 (High)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low (Authenticated user)
User Interaction: None
Scope: Unchanged
Impact: Confidentiality (High), Integrity (High), Availability (High)
Exploitability: High
Exploit Availability: Publicly discussed technique with working proof-of-concept demonstrated in security research
CVE-2026-27952 is a sandbox escape vulnerability in Agenta’s Python code execution feature. The issue allows an authenticated user to bypass RestrictedPython sandbox controls and execute arbitrary system-level commands on the Agenta server by abusing NumPy’s introspection capabilities.
Technical Description
Agenta provides a feature that allows users to execute custom Python code within a restricted execution environment. The sandbox implementation relied on RestrictedPython and enforced import controls to limit dangerous modules.
However, the sandbox configuration mistakenly permitted importing numpy. Within NumPy’s internal structure, the module numpy.ma.core exposes an inspect reference that provides access to Python interpreter internals. Through this object, the global module registry (sys.modules) can be accessed.
Once sys.modules becomes reachable, restricted modules such as os or subprocess can be obtained dynamically, even if direct imports are blocked by the sandbox policy.
This effectively breaks the isolation boundary intended by RestrictedPython and allows arbitrary command execution within the context of the Agenta API server process.
Because execution occurs inside the running API process, the attacker gains access equivalent to the service account running Agenta. In containerized environments, this typically includes:
- Environment variables (including API keys and secrets)
- Mounted configuration files
- Network access from the container
- Filesystem access permitted to the container
- Internal service-to-service communication channels
The vulnerability does not require complex chaining. It relies on Python introspection mechanics and insufficient module restrictions.
Root Cause
The vulnerability exists due to:
- Overly permissive import allowlisting in the RestrictedPython sandbox.
- Failure to account for indirect module access via introspection.
- Inadequate isolation of user-supplied code from the host interpreter.
- Execution of untrusted code within the same runtime process.
RestrictedPython was assumed to provide sufficient containment, but Python’s dynamic nature allows module traversal through non-obvious paths such as inspect references embedded inside third-party libraries.
Impact
If exploited successfully, the following outcomes are possible:
- Remote Code Execution (RCE)
- Arbitrary system command execution
- Data exfiltration
- Secret leakage
- Lateral movement within internal infrastructure
- Container breakout (if additional misconfigurations exist)
- Service disruption or data destruction
Any organization exposing Agenta publicly or allowing broad user registration is at elevated risk.
Exploitation Details (Educational)
The exploitation technique relies on:
- Importing NumPy inside the sandbox.
- Traversing to internal inspection utilities.
- Accessing
sys.modules. - Retrieving restricted modules such as
os. - Invoking system-level functionality.
Conceptual demonstration (simplified for education):
import numpy as np# Access internal inspect reference
inspect_ref = np.ma.core.inspect# Reach sys.modules via inspect globals
modules = inspect_ref.__globals__['sys'].modules# Retrieve os module
os_module = modules['os']# Execute system command
os_module.system("id")
Attack Scenario
- Attacker registers or logs in to Agenta.
- Attacker submits custom evaluation code.
- Code executes inside sandbox.
- NumPy import bypasses intended restrictions.
- Introspection exposes system modules.
- Arbitrary command execution achieved.
- Sensitive information retrieved or server compromised.
Indicators of Compromise (IoCs)
Look for:
- User-submitted code containing:
import numpynumpy.ma.core.inspect__globals__sys.modulesos.systemsubprocess
- Unexpected shell process creation from Agenta process
- Outbound network connections from Agenta host to unknown IPs
- File reads involving
/etc/passwd,/proc, or secret directories - Environment variable dumps in logs
Detection Guidance
Log Sources to Monitor
- Agenta API application logs
- HTTP request logs (code submission endpoints)
- Container runtime logs (Docker / Kubernetes)
- Linux auditd logs
- EDR telemetry
- Process creation logs
- Network flow logs
Detection Queries
Splunk Query – Suspicious Code Submission
index=agenta_logs sourcetype=api_requests
| search request_body="*import numpy*"
OR request_body="*numpy.ma.core.inspect*"
OR request_body="*sys.modules*"
OR request_body="*__globals__*"
| table _time user client_ip request_body
Splunk Query – Suspicious Process Creation
index=os_logs sourcetype=process_creation
| search parent_process="agenta*"
AND (process_name="sh" OR process_name="bash" OR process_name="python" OR process_name="nc" OR process_name="curl")
| table _time host parent_process process_name command_line
Elastic (KQL) – Sandbox Escape Behavior
process.parent.name : "agenta*" and
process.name : ("sh" or "bash" or "python" or "curl" or "nc")
Microsoft Sentinel (KQL) – Suspicious Python Introspection
AppRequests
| where RequestBody contains "numpy.ma.core.inspect"
or RequestBody contains "sys.modules"
or RequestBody contains "__globals__"
Linux Auditd Rule (Process Execution Monitoring)
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/python3 -k agenta_exec_monitor
Behavioral Detection Strategy
Instead of only matching strings, it is recommended to correlate:
- Code submission event
- Followed by process spawn
- Followed by outbound connection
Correlation within a 2–5 minute window significantly increases detection accuracy.
Mitigation
Immediate actions:
- Upgrade Agenta to version 0.48.1 or later
- Disable custom code evaluator if not required
- Restrict evaluator access to trusted users only
- Apply strict outbound network controls
- Enforce least privilege container runtime configuration
- Rotate all credentials accessible to the Agenta service
Patch Information
The vulnerability has been fixed by removing NumPy from the sandbox allowlist and restructuring sandbox execution logic.
Official Patch / Upgrade Link:
https://github.com/Agenta-AI/agenta/releases/tag/v0.48.1
Upgrade to version 0.48.1 or newer immediately.
Hardening Recommendations
- Do not execute untrusted Python code in-process.
- Use isolated containers or microVMs for user code execution.
- Apply seccomp profiles and AppArmor policies.
- Prevent container privilege escalation.
- Disable host filesystem mounts unless required.
- Implement egress filtering.
Risk Assessment
This vulnerability should be treated as a high-priority patch event for any organization using self-hosted Agenta deployments. Because the exploit requires authentication, risk increases significantly when:
- Public sign-ups are enabled
- Weak authentication controls exist
- Shared environments are used
- Production secrets are mounted inside containers
If exposed to the internet, the system should be assumed exploitable until patched.
Conclusion
CVE-2026-27952 represents a classic sandbox escape caused by underestimating Python’s introspection capabilities. The issue does not rely on advanced exploitation techniques but rather on Python’s dynamic module system and inadequate isolation design.
All vulnerable instances should be upgraded immediately. Logs should be reviewed for suspicious evaluator activity. Secrets accessible to the Agenta runtime should be rotated as a precaution.
