Agenta-AI's agenta-api prior to version 0.48.1 contains a critical code injection vulnerability (CVE-2026-27952) classified under CWE-94 due to improper control over code generation and execution. The platform uses a custom code evaluator that runs user-supplied Python code server-side within the API process. To restrict potentially dangerous operations, Agenta employed RestrictedPython as a sandboxing mechanism. However, the sandbox incorrectly whitelisted the numpy package as safe, which is problematic because numpy.ma.core.inspect exposes Python's introspection capabilities, including access to sys.modules. This exposure enables an authenticated user to bypass sandbox restrictions and execute arbitrary system-level commands, such as via os.system, effectively escaping the sandbox. This vulnerability is limited to the self-hosted API server component and does not affect the standalone SDK. The flaw was addressed in version 0.48.1 by removing numpy from the sandbox allowlist. Furthermore, from version 0.60 onward, the RestrictedPython sandbox was completely removed and replaced with a different execution model, mitigating this class of vulnerabilities. The vulnerability has a CVSS 3.1 base score of 8.8, indicating a high severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability.

This vulnerability allows authenticated users to execute arbitrary code on the agenta-api server, potentially leading to full system compromise. Attackers can leverage this to access sensitive data, modify or delete critical information, disrupt service availability, or pivot to other systems within the network. Since the vulnerability requires authentication, insider threats or compromised credentials pose a significant risk. Organizations running self-hosted instances of agenta-api prior to version 0.48.1 are at risk of unauthorized control over their AI operations platform, which could undermine trust in AI workflows and data integrity. The impact extends to any environment where agenta-api is used to evaluate or execute user-supplied code, especially in multi-tenant or collaborative settings. The compromise could also facilitate lateral movement and further exploitation within enterprise networks.

Organizations should immediately upgrade agenta-api to version 0.48.1 or later, where numpy is removed from the sandbox allowlist, or preferably to version 0.60+ which replaces the sandbox entirely. Until upgrades are applied, restrict access to the API server to trusted users only and enforce strong authentication and monitoring to detect suspicious activity. Review and limit user permissions to minimize the risk of malicious code execution. Implement network segmentation and host-based intrusion detection to identify anomalous behavior indicative of sandbox escape attempts. Conduct thorough code reviews and security testing of any custom code evaluator configurations. Additionally, consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts. Regularly audit logs for unusual commands or system calls originating from the API process.