RAXE-2026-012 CRITICAL CVSS 9.9 v3.1 S2

Agenta LLMOps Sandbox Escape and SSTI in Evaluator Pipeline (CVE-2026-27952, CVE-2026-27961)

Agent Security AML.T0049 2026-03-04 M. Hirani TLP:GREEN
CVE-2026-27952 CVE-2026-27961

Executive Summary

Two critical remote code execution vulnerabilities have been identified in the Agenta open-source LLMOps platform, affecting its evaluator pipeline. CVE-2026-27952 enables sandbox escape through numpy import path manipulation in Agenta-API versions prior to 0.48.1, whilst CVE-2026-27961 allows server-side template injection (SSTI) in the evaluator component of Agenta versions up to and including 0.86.7. CVE-2026-27952 carries a CVSS v3.1 score of 9.9 (CRITICAL) from NVD/NIST (8.8 per GitHub), and CVE-2026-27961 is rated 8.8 (HIGH). Both permit an authenticated attacker to achieve arbitrary code execution on the host system, breaking the intended isolation boundary of the evaluator sandbox. Organisations running Agenta should apply the relevant patches immediately: Agenta-API 0.48.1 or later for CVE-2026-27952, and Agenta 0.86.8 or later for CVE-2026-27961. Organisations running Agenta v0.60 or later are not affected by CVE-2026-27952, as the RestrictedPython sandbox was removed in that release (NVD).

Risk Rating

Dimension Rating Detail
Severity CRITICAL / HIGH CVE-2026-27952 rated CVSS v3.1 9.9 CRITICAL by NVD (NIST), 8.8 HIGH by GitHub. CVE-2026-27961 rated CVSS v3.1 8.8 HIGH. CWE-94 (Code Injection) and CWE-1336 (Template Injection) indicate full code execution capability.
Urgency HIGH Vendor patches are available (0.48.1 and 0.86.8). Unpatched instances are exploitable by any authenticated user with evaluator access.
Scope MODERATE Agenta is an open-source LLMOps platform used for prompt engineering and LLM evaluation. Impact is bounded to organisations self-hosting Agenta with exposed evaluator pipelines.
Confidence CONFIRMED Both vulnerabilities have assigned CVEs (NVD), published GitHub Security Advisories (GHSA-pmgp-2m3v-34mq, GHSA-cfr2-mp74-3763), and vendor-released patches.
Business Impact HIGH Successful exploitation grants arbitrary code execution on the Agenta host, potentially exposing LLM training data, API keys, and connected infrastructure credentials. Depending on deployment configuration, model weights and other sensitive artefacts accessible to the Agenta process may also be at risk (RAXE assessment).

Affected Products

Product Component CVE Affected Versions Fixed Version Status
Agenta Agenta-API (sandbox) CVE-2026-27952 < 0.48.1 0.48.1 Patch available (GHSA)
Agenta Evaluator pipeline CVE-2026-27961 <= 0.86.7 0.86.8 Patch available (GHSA)

Note: The agenta package on PyPI is the SDK component; the agenta-api server is distributed as a Docker image, not a separate PyPI package (GHSA). The version numbers reflect different components within the Agenta platform: CVE-2026-27952 affects the API server's sandbox (fixed in Agenta-API 0.48.1; sandbox removed entirely in v0.60+), whilst CVE-2026-27961 affects the evaluator template rendering in the SDK executed server-side (fixed in 0.86.8). Organisations running Agenta v0.60 or later need only upgrade to 0.86.8 to address the remaining SSTI vulnerability (NVD, GHSA).

Am I Affected?

  1. Check if you use Agenta: Search your deployment for Agenta containers or Python packages.
   pip show agenta
  1. Check your version: Compare the installed version against the fixed versions listed above. Any version of agenta below 0.86.8 may be vulnerable to CVE-2026-27961. Any Agenta-API version below 0.48.1 may be vulnerable to CVE-2026-27952.
   pip show agenta | grep Version
  1. Check deployment exposure: Determine whether the evaluator pipeline endpoint is accessible to authenticated users. If your Agenta instance is internet-facing with user-accessible evaluator functionality, exploitation risk is elevated.
  2. Check for custom evaluators: If your Agenta deployment uses custom evaluation scripts or user-defined templates in the evaluator pipeline, these represent the direct attack surface for both vulnerabilities.

Abstract

This advisory details two related remote code execution vulnerabilities in the Agenta open-source LLMOps platform. The first, CVE-2026-27952, is a sandbox escape in Agenta-API versions prior to 0.48.1, where an attacker can abuse the numpy import path to break out of the intended code execution sandbox within the evaluator pipeline. The second, CVE-2026-27961, is a server-side template injection vulnerability in Agenta versions up to 0.86.7, where insufficiently sanitised user input reaches the template rendering engine used by the evaluator component. Both vulnerabilities share the same attack surface -- the evaluator pipeline -- and produce the same impact: arbitrary code execution on the underlying host system. The vulnerabilities are classified under CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) respectively (NVD). This bundled advisory covers both CVEs because they affect the same product, share the same pipeline as attack surface, and produce equivalent impact, though they have different fix versions and CVSS scores (9.9 CRITICAL and 8.8 HIGH respectively per NVD/NIST).

Key Findings

  1. Sandbox Escape via numpy Import Path (CVE-2026-27952): The Agenta-API evaluator sandbox permits code execution for LLM output evaluation but fails to adequately restrict import paths. An attacker can leverage numpy's internal module loading mechanisms to import restricted modules and escape the sandbox, achieving arbitrary code execution on the host (GHSA-pmgp-2m3v-34mq).

  2. Server-Side Template Injection in Evaluator (CVE-2026-27961): The evaluator pipeline processes user-supplied input through a template engine without proper neutralisation of template directives. An attacker can inject Jinja2 template syntax into evaluator inputs, resulting in server-side template injection and arbitrary code execution. The GHSA confirms the vulnerable code uses unsandboxed Jinja2 Template(content).render() calls (GHSA-cfr2-mp74-3763).

  3. Shared Attack Surface -- The Evaluator Pipeline: Both vulnerabilities target the same architectural component: the evaluator pipeline that processes LLM outputs. This pipeline is designed to execute evaluation logic against model responses, making it an inherently high-privilege execution context. The evaluator's requirement to run user-defined evaluation code creates a fundamental tension between functionality and isolation.

  4. Comparable Severity and Identical Impact Profile: CVE-2026-27952 carries a CVSS v3.1 score of 9.9 (CRITICAL) from NVD/NIST and 8.8 (HIGH) from GitHub; CVE-2026-27961 is rated 8.8 (HIGH) by both. The NIST score for CVE-2026-27952 is higher due to a Changed scope (S:C), reflecting cross-boundary impact from the sandbox escape. Successful exploitation of either vulnerability results in the same outcome: arbitrary code execution on the Agenta host, with access to environment variables, file systems, and network resources available to the Agenta process.

  5. LLMOps Platforms as Emerging Attack Surface (RAXE assessment): These vulnerabilities exemplify a growing pattern in the AI/ML tooling ecosystem: platforms that must execute user-supplied code or templates for legitimate functionality (evaluation, testing, prompt engineering) struggle to maintain adequate isolation boundaries. The evaluator pipeline -- a component unique to LLMOps platforms -- represents an attack surface category not well-addressed by traditional application security controls.

Attack Flow

                        CVE-2026-27952: Sandbox Escape
                        ==============================

  Attacker (Authenticated)
       |
       v
  +-- Agenta Evaluator API --+
       |
       |  Submit evaluation request containing
       |  crafted code that references numpy internals
       v
  +-- Evaluator Sandbox --+
       |
       |  numpy import path resolves to
       |  restricted module loader
       v
  +-- numpy Internal Path --+ -----> +-- Restricted Module Access --+
       |                                        |
       |  Sandbox boundary bypassed             |
       v                                        v
  +-- Host OS Code Execution --+ <-- +-- Arbitrary Import Achieved --+
       |
       v
  +-- Impact: Data Exfil / Lateral Movement / Credential Theft --+


                        CVE-2026-27961: SSTI
                        ====================

  Attacker (Authenticated)
       |
       v
  +-- Agenta Evaluator API --+
       |
       |  Submit evaluation request containing
       |  template injection payload
       |  (Jinja2 template syntax)
       v
  +-- Evaluator Pipeline --+
       |
       |  User input passed unsanitised
       |  to template rendering engine
       v
  +-- Template Engine Processes Payload --+
       |
       |  Template directive executes
       |  arbitrary Python code
       v
  +-- Host OS Code Execution --+
       |
       v
  +-- Impact: Data Exfil / Lateral Movement / Credential Theft --+


                Combined Kill Chain
                ===================

  Reconnaissance -----> Identify Agenta instance with evaluator API
       |
       v
  Initial Access -----> Authenticate to Agenta (user-level credentials)
       |
       v
  Execution ----------> Submit crafted evaluator request
       |                (sandbox escape OR template injection)
       v
  Privilege Escalation > Break evaluator sandbox boundary
       |
       v
  Collection ----------> Access environment variables, API keys,
       |                  and data accessible to the Agenta process
       v
  Exfiltration --------> Extract sensitive data via network
                          or command execution

ATLAS Mapping: AML.T0049 -- Exploit Public-Facing Application. The evaluator API is the public-facing application component exploited in both attack paths.

Technical Details

CVE-2026-27952: Sandbox Escape via numpy Import Path

Root Cause: CWE-94 -- Improper Control of Generation of Code (NVD)

The Agenta-API evaluator implements a sandbox to constrain code execution during LLM output evaluation. This sandbox is intended to allow safe execution of user-defined evaluation logic whilst preventing access to the broader host environment. However, the sandbox's import restriction mechanism fails to account for numpy's internal module loading infrastructure (GHSA-pmgp-2m3v-34mq).

numpy was incorrectly whitelisted as safe within the RestrictedPython sandbox. The escape path is through numpy.ma.core.inspect, which exposes Python's introspection utilities -- including sys.modules -- thereby providing access to unfiltered system-level functionality (NVD, GHSA-pmgp-2m3v-34mq). Once these restricted modules are accessible, the attacker can execute arbitrary system commands or access the file system, effectively escaping the sandbox entirely.

Affected Component: Agenta-API versions prior to 0.48.1 (GHSA-pmgp-2m3v-34mq).

Fix: Version 0.48.1 addresses the sandbox escape by removing numpy from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model, eliminating this class of vulnerability (NVD, GHSA-pmgp-2m3v-34mq).

CVE-2026-27961: Server-Side Template Injection in Evaluator Pipeline

Root Cause: CWE-1336 -- Improper Neutralization of Special Elements Used in a Template Engine (NVD)

The Agenta evaluator pipeline uses a template engine to process evaluation configurations and render evaluation outputs. User-supplied input is passed into this template rendering context without adequate sanitisation or sandboxing of template directives (GHSA-cfr2-mp74-3763).

An attacker can inject Jinja2 expression blocks ({{ }}) or statement blocks ({% %}) into evaluator request parameters. The GHSA confirms the vulnerable path uses unsandboxed Template(content).render() in Jinja2 (GHSA-cfr2-mp74-3763). When the template engine processes these inputs, the injected directives execute within the server's Python runtime, granting the attacker arbitrary code execution.

SSTI vulnerabilities in Python template engines are well-documented attack patterns. The standard exploitation chain involves accessing Python's object hierarchy (via __class__, __mro__, __subclasses__()) to reach modules capable of command execution, such as subprocess.Popen.

Affected Component: Agenta versions up to and including 0.86.7 (GHSA-cfr2-mp74-3763).

Fix: Version 0.86.8 addresses the SSTI vulnerability by implementing proper input neutralisation before template rendering (GHSA-cfr2-mp74-3763).

Combined Impact

Both vulnerabilities share the following characteristics:

  • Authentication Required: Both require authenticated access to the Agenta evaluator API. The attack is not pre-authentication, but any user with evaluator access can exploit them.
  • No User Interaction: Exploitation does not require a victim to perform any action; the attacker submits a crafted request directly.
  • Full Host Compromise: Successful exploitation grants code execution with the privileges of the Agenta process, typically providing access to environment variables (which may contain API keys, database credentials, and cloud provider tokens), the local file system, and network access to connected services. The extent of data exposure depends on the deployment configuration and the privileges of the Agenta process (RAXE assessment).

Confidence & Validation

Assessment Confidence: Confirmed

Aspect Status Detail
Vendor Advisory Yes GitHub Security Advisories published: GHSA-pmgp-2m3v-34mq (sandbox escape), GHSA-cfr2-mp74-3763 (SSTI).
CVE Assigned Yes CVE-2026-27952 (NVD/NIST CVSS v3.1 9.9 CRITICAL; GitHub 8.8 HIGH) and CVE-2026-27961 (CVSS v3.1 8.8 HIGH), both listed on NVD.
PoC Available Not public No public proof-of-concept exploit code has been identified at the time of writing.
Patch Available Yes Agenta-API 0.48.1 fixes CVE-2026-27952; Agenta 0.86.8 fixes CVE-2026-27961 (GHSA).
Exploited in Wild No evidence No evidence of active exploitation has been observed at the time of writing.

Source Reliability: Admiralty Grade E5. Both CVEs are confirmed by NVD and the vendor's own security advisories on GitHub.

Detection Signatures

Three Sigma detection rules have been developed for this finding:

AGENTA-001: Sandbox Escape via Import Path Manipulation

  • Rule ID: AGENTA-001
  • Type: Sigma (application log monitoring)
  • Purpose: Detects attempts to access restricted Python modules via numpy's internal import path within the Agenta evaluator sandbox.
  • Detection Logic: Monitors evaluator execution logs for patterns indicating access to numpy internals used for module loading (e.g., references to numpy.core, numpy.ctypeslib, or __import__ calls routed through numpy's module namespace). Triggers on any evaluator request that attempts to load modules outside the permitted sandbox allowlist.
  • Severity: High
  • False Positive Guidance: Legitimate evaluation code that performs deep numpy operations (such as custom C extension loading) may trigger this rule. Review the specific modules referenced before escalating.

AGENTA-002: SSTI Payload Detection

  • Rule ID: AGENTA-002
  • Type: Sigma (application log / WAF monitoring)
  • Purpose: Detects server-side template injection payloads in evaluator pipeline requests.
  • Detection Logic: Monitors evaluator API request parameters for Jinja2 template injection payloads (confirmed template engine per GHSA), including: {{ }} expression blocks, {% %} statement blocks, references to Python object introspection attributes (__class__, __mro__, __subclasses__, __globals__), and known SSTI exploitation chains (e.g., config.items(), lipsum.__globals__).
  • Severity: High
  • False Positive Guidance: Legitimate evaluator templates that use Jinja2 syntax for intended template rendering may trigger this rule. The presence of Python introspection attributes (__class__, __mro__) strongly indicates exploitation rather than legitimate use.

AGENTA-003: Anomalous Process Spawned by Evaluator

  • Rule ID: AGENTA-003
  • Type: Sigma (host-based process monitoring)
  • Purpose: Detects post-exploitation activity following successful sandbox escape or SSTI exploitation.
  • Detection Logic: Monitors for child processes spawned by the Agenta evaluator process that are inconsistent with normal evaluation operations. This includes shell interpreters (/bin/sh, /bin/bash, cmd.exe), network utilities (curl, wget, nc, ncat), reconnaissance tools (whoami, id, uname, env), and file access utilities (cat, head, tail) targeting sensitive paths (/etc/passwd, /proc/self/environ, .env).
  • Severity: Critical
  • False Positive Guidance: This rule should have very low false positive rates. Legitimate evaluator operations should not spawn shell processes or network tools. Any match warrants immediate investigation.

Detection & Mitigation

Detection Approach

Organisations running Agenta should implement detection at multiple layers:

Application Layer: Deploy rules AGENTA-001 and AGENTA-002 against Agenta evaluator API access logs. These rules detect exploitation attempts at the point of entry, before code execution is achieved. If Agenta is deployed behind a web application firewall (WAF), configure SSTI signature detection for the evaluator endpoint specifically.

Host Layer: Deploy rule AGENTA-003 on hosts running Agenta containers or processes. This rule detects successful exploitation by monitoring for anomalous child process creation, providing coverage regardless of the specific exploitation technique used.

Network Layer: Monitor outbound network connections from the Agenta host for unexpected destinations. Post-exploitation data exfiltration will typically involve connections to attacker-controlled infrastructure that would not appear in normal Agenta operations.

Remediation Steps

  1. Immediate: Upgrade by component. The two vulnerabilities have different fix versions and affected components:

  2. CVE-2026-27952 (sandbox escape): Upgrade Agenta-API to version 0.48.1 or later. This removes numpy from the sandbox allowlist. Organisations already running Agenta v0.60 or later are not affected by this CVE, as the RestrictedPython sandbox was removed entirely and replaced with a different execution model in that release (NVD, GHSA-pmgp-2m3v-34mq).

  3. CVE-2026-27961 (SSTI): Upgrade the Agenta SDK to version 0.86.8 or later. This addresses the unsandboxed Jinja2 template rendering in the evaluator pipeline (GHSA-cfr2-mp74-3763).
   pip install --upgrade agenta>=0.86.8

Upgrading to 0.86.8 addresses CVE-2026-27961 and, since 0.86.8 is well past the v0.60 architectural change, also ensures CVE-2026-27952 is no longer relevant.

  1. If immediate upgrade is not possible: Restrict access to the evaluator API to trusted users only. Remove evaluator access from accounts that do not require it. This reduces the pool of potential attackers but does not eliminate the vulnerability.

  2. Review evaluator permissions: Audit which users and service accounts have access to the evaluator pipeline. Apply the principle of least privilege -- users who only need to view evaluation results should not have permissions to submit evaluation requests.

  3. Network segmentation: Ensure the Agenta host does not have unnecessary network access to sensitive internal resources. If the evaluator sandbox is compromised, network segmentation limits the attacker's ability to move laterally.

  4. Environment variable hygiene: Review the environment variables available on the Agenta host. Remove or vault any credentials that are not strictly necessary for the Agenta process to function. API keys for LLM providers, database credentials, and cloud provider tokens stored in environment variables are immediately accessible upon sandbox escape.

  5. Monitoring deployment: Deploy the three Sigma rules described in the Detection Signatures section. Prioritise AGENTA-003 (host-based detection) as it provides the broadest coverage against successful exploitation.

Indicators of Compromise

These are behavioural indicators. No file hashes are applicable as these are code-level vulnerabilities exploited via API requests.

Type Indicator Context
Behavioural Evaluator requests containing __import__ or numpy.core references in code parameters CVE-2026-27952 sandbox escape attempt
Behavioural Evaluator requests containing {{ }} or {% %} template syntax in non-template fields CVE-2026-27961 SSTI attempt
Behavioural Evaluator requests referencing __class__, __mro__, __subclasses__, or __globals__ SSTI exploitation chain (CVE-2026-27961)
Behavioural Shell process (/bin/sh, /bin/bash) spawned as child of Agenta evaluator process Post-exploitation indicator (either CVE)
Behavioural Network tool execution (curl, wget, nc) by Agenta evaluator process Data exfiltration following successful exploitation
Behavioural File reads targeting /proc/self/environ, .env, or credential files by evaluator process Credential harvesting post-exploitation
Network Unexpected outbound connections from Agenta host to external IP addresses Post-exploitation command-and-control or exfiltration
Process env, whoami, id, or uname commands executed by Agenta evaluator process Reconnaissance following successful sandbox escape

Strategic Context

LLMOps Platforms as an Emerging Attack Surface (RAXE Assessment)

The vulnerabilities in Agenta's evaluator pipeline illustrate a structural security challenge facing the LLMOps category. Platforms designed for LLM evaluation, prompt engineering, and model testing inherently require some form of dynamic code or template execution. This creates a fundamental tension: the evaluator must be powerful enough to express complex evaluation logic, yet constrained enough to prevent abuse.

This is not unique to Agenta. Any LLMOps platform that supports custom evaluators, dynamic templates, or user-defined scoring functions faces the same architectural challenge. The evaluator pipeline is, by design, a controlled code execution environment -- and history demonstrates that controlled code execution environments are exceptionally difficult to secure. Python sandboxing in particular has a well-documented track record of bypass techniques.

Pattern Applicability

Security teams assessing LLMOps tooling in their environments should consider the evaluator pipeline as a first-class attack surface, comparable to CI/CD pipeline code execution or Jupyter notebook servers. The specific vulnerability patterns identified here -- sandbox escape via permitted library internals, and template injection in rendering pipelines -- are transferable to other platforms in this category. Organisations deploying any LLMOps platform with evaluator functionality should:

  • Audit the sandboxing mechanism used for code evaluation
  • Verify that template rendering engines do not process unsanitised user input
  • Ensure evaluator processes run with minimal host-level privileges
  • Implement monitoring for anomalous process creation within evaluator contexts

Regulatory and Compliance Considerations

As AI governance frameworks mature (notably the EU AI Act and NIST AI Risk Management Framework), organisations will face increasing scrutiny over the security of their AI development and evaluation infrastructure. Vulnerabilities in LLMOps platforms that expose model data, training datasets, or connected credentials represent both a cybersecurity risk and a potential compliance failure for organisations subject to these emerging frameworks.

References

  1. CVE-2026-27952 -- NVD
  2. CVE-2026-27961 -- NVD
  3. GHSA-pmgp-2m3v-34mq -- Agenta Sandbox Escape Advisory
  4. GHSA-cfr2-mp74-3763 -- Agenta SSTI Advisory
  5. MITRE ATLAS AML.T0049 -- Exploit Public-Facing Application
  6. CWE-94 -- Improper Control of Generation of Code
  7. CWE-1336 -- Improper Neutralization of Special Elements Used in a Template Engine