CVE-2026-32640 is a vulnerability in the Python library simpleeval, which is designed to safely evaluate expressions within Python projects. Prior to version 1.0.5, simpleeval improperly controls modification and access to dynamically-determined object attributes, classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and related to CWE-94 (Improper Control of Generation of Code). The vulnerability allows attackers to bypass sandbox restrictions by leaking dangerous modules or functions through objects passed as names or callbacks. Specifically, if the objects provided to simpleeval contain modules or unsafe attributes, these can be accessed directly or indirectly, enabling execution of arbitrary code or access to sensitive functions. The flaw does not require any authentication or user interaction and can be exploited remotely, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability has a CVSS 4.0 base score of 8.7, reflecting high severity due to the potential for high impact on confidentiality and integrity without any privileges needed. The issue was publicly disclosed on March 13, 2026, and fixed in simpleeval version 1.0.5. No known exploits are reported in the wild yet, but the ease of exploitation and severity warrant immediate attention. This vulnerability is particularly critical for organizations embedding simpleeval in applications that evaluate user-supplied expressions or data, as it could lead to remote code execution or data leakage within otherwise sandboxed environments.

The impact of CVE-2026-32640 is significant for organizations using vulnerable versions of simpleeval in their Python projects. Exploitation can lead to unauthorized access to sensitive modules and functions, potentially resulting in remote code execution, data leakage, or privilege escalation within the application context. Since simpleeval is often used to safely evaluate expressions, this vulnerability undermines the sandboxing guarantees, exposing applications to arbitrary code execution risks. This can compromise confidentiality, integrity, and availability of systems relying on simpleeval, especially in web applications, automation scripts, or any service evaluating untrusted input. The lack of required authentication or user interaction increases the risk of widespread exploitation. Organizations could face data breaches, service disruptions, or further lateral movement by attackers leveraging this vulnerability. The absence of known exploits in the wild currently reduces immediate threat but does not diminish the urgency of patching, as public disclosure may lead to rapid development of exploits.

To mitigate CVE-2026-32640, organizations should immediately upgrade all instances of simpleeval to version 1.0.5 or later, where the vulnerability is fixed. Additionally, review and audit all code that uses simpleeval to ensure that only safe, sanitized objects are passed into the evaluation context, avoiding any modules or functions that could be exploited. Implement strict input validation and limit the scope of objects accessible within the evaluation environment. Consider employing additional sandboxing or containerization techniques to isolate the evaluation process. Monitor application logs for unusual activity related to expression evaluation. If upgrading is not immediately feasible, restrict access to services using simpleeval to trusted users or networks and apply runtime application self-protection (RASP) or web application firewall (WAF) rules to detect and block suspicious expression inputs. Maintain awareness of any emerging exploit code or attack campaigns targeting this vulnerability.