CVE-2026-27952 is a critical code injection vulnerability classified under CWE-94, affecting the Agenta-AI agenta-api platform before version 0.48.1. Agenta is an open-source platform designed for managing large language model operations (LLMOps). The vulnerability stems from the use of RestrictedPython as a sandboxing mechanism for executing user-supplied Python code within the platform's custom code evaluator. RestrictedPython aims to restrict the capabilities of executed code to prevent malicious actions. However, Agenta incorrectly whitelisted the numpy package as safe within this sandbox. The numpy.ma.core.inspect module exposes Python introspection utilities, including access to sys.modules, which in turn allows access to unrestricted system-level functions such as os.system. This flaw enables authenticated users to bypass sandbox restrictions and execute arbitrary code on the API server hosting Agenta. The vulnerability is specific to the self-hosted API server environment and does not affect the standalone SDK used as a Python library. The issue was remediated in version 0.48.1 by removing numpy from the sandbox allowlist, and in version 0.60 and later, the RestrictedPython sandbox was entirely replaced with a different execution model, eliminating this attack vector. The CVSS v3.1 base score is 8.8, reflecting high severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date.

The vulnerability allows authenticated users to execute arbitrary code on the API server, potentially leading to full system compromise. This includes unauthorized access to sensitive data, manipulation or destruction of data, and disruption of service availability. Since the API server typically runs with elevated privileges to manage LLMOps workflows, exploitation could enable attackers to pivot within the network, install persistent malware, or exfiltrate confidential information. Organizations relying on Agenta for managing AI workflows may face operational disruptions, data breaches, and reputational damage. The requirement for authentication limits exposure to some extent, but insider threats or compromised credentials could be leveraged to exploit this flaw. The impact is particularly severe in environments where Agenta is integrated with critical infrastructure or sensitive data processing pipelines.

Organizations should immediately upgrade agenta-api to version 0.48.1 or later, preferably to version 0.60 or above where the vulnerable sandboxing mechanism is fully removed. If upgrading is not immediately possible, administrators should disable or restrict access to the custom code evaluator feature to trusted users only and monitor API server logs for suspicious activity related to code execution. Review and harden authentication mechanisms to prevent unauthorized access, including enforcing strong credential policies and multi-factor authentication. Conduct thorough code reviews and penetration testing focused on sandbox escape vectors if custom code execution features are used. Consider isolating the API server in a segmented network environment with strict outbound controls to limit potential lateral movement in case of compromise. Finally, maintain up-to-date backups and incident response plans tailored to potential code injection and remote code execution attacks.