What is the CVSS score of CVE-2026-27952?

CVE-2026-27952 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2026-27952?

A critical sandbox escape vulnerability in Agenta-API allows attackers to execute arbitrary code on systems running affected versions.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27952?

Yes, a public proof-of-concept exploit is available for CVE-2026-27952. Prioritise patching immediately. EPSS: 0.1%.

Python CVE-2026-27952

HIGH

Code Injection (CWE-94)

2026-02-26 security-advisories@github.com

Python AI / ML Agenta

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 02, 2026 - 18:43 vuln.today

Public exploit code

CVE Published

Feb 26, 2026 - 02:16 nvd

HIGH 8.8

DescriptionNVD

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the numpy package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through numpy.ma.core.inspect, which exposes Python's introspection utilities - including sys.modules - thereby providing access to unfiltered system-level functionality like os.system. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing numpy from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

AnalysisAI

Arbitrary code execution in Agenta-API prior to version 0.48.1 allows authenticated users to escape the RestrictedPython sandbox through unsafe whitelisting of the numpy package, enabling execution of arbitrary system commands on the API server. The vulnerability leverages numpy.ma.core.inspect to access Python introspection utilities and bypass sandbox restrictions. …

RemediationAI

Within 24 hours: Inventory all Agenta deployments and versions; disable or restrict access to custom code evaluator features if operationally feasible. Within 7 days: Implement network segmentation to isolate Agenta instances; enable enhanced logging and monitoring for suspicious code execution patterns; assess whether your version is below 0.48.1. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27952 vulnerability details – vuln.today

Back

Python CVE-2026-27952

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code