PYSEC-2026-6

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/agenta/PYSEC-2026-6.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-6
Aliases
Published
2026-02-26T02:16:22.940Z
Modified
2026-05-20T09:18:50.937531Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the numpy package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through numpy.ma.core.inspect, which exposes Python's introspection utilities — including sys.modules — thereby providing access to unfiltered system-level functionality like os.system. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing numpy from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

References

Affected packages

PyPI / agenta

Package

Name
agenta
View open source insights on deps.dev
Purl
pkg:pypi/agenta

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.48.1

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.2.0
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.7.0
0.7.1
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.10.0
0.10.1
0.10.2
0.10.3
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.13.0a0
0.13.0a1
0.13.0a2
0.13.0a3
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7a0
0.13.7
0.13.8
0.14.0
0.14.1a0
0.14.1a1
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6a0
0.14.6
0.14.7a0
0.14.7a1
0.14.7
0.14.8a0
0.14.8
0.14.9
0.14.10
0.14.11
0.14.12a0
0.14.12a1
0.14.12a2
0.14.12
0.14.13
0.14.14a0
0.14.14a1
0.14.14
0.15.0a0
0.15.0a1
0.15.0a2
0.15.0a3
0.15.0a4
0.15.0
0.16.0
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4a0
0.17.4
0.17.5
0.17.6a0
0.17.6a1
0.18.0
0.19.0
0.19.1a0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6a0
0.19.6
0.19.7
0.19.8a0
0.19.8
0.19.9
0.20.0a0
0.20.0a1
0.20.0a3
0.20.0a4
0.20.0a6
0.20.0a7
0.20.0a8
0.20.0a9
0.20.0a10
0.20.0a11
0.20.0a12
0.20.0a13
0.21.0a1
0.21.0b1
0.22.0
0.23.0a1
0.23.0
0.24.0
0.24.1a0
0.24.1
0.24.2a1
0.24.2a2
0.24.2
0.24.3a1
0.24.3
0.24.4
0.25.0
0.25.1
0.25.2
0.25.3a1
0.25.3
0.25.4a1
0.25.4a2
0.25.4a3
0.25.4a4
0.25.4
0.26.0a0
0.26.0
0.27.0a0
0.27.0a1
0.27.0a2
0.27.0a5
0.27.0a6
0.27.0a7
0.27.0a8
0.27.0a9
0.27.0a12
0.27.0a13
0.27.0a15
0.27.0
0.27.1
0.27.2a2
0.27.2
0.27.3
0.27.4a0
0.27.4a1
0.27.5a1
0.27.5
0.27.6a0
0.27.6a1
0.27.6a2
0.27.6a3
0.27.6
0.27.7a0
0.27.7a1
0.27.7a2
0.27.7
0.27.8a2
0.28.0a1
0.28.0a2
0.28.0a3
0.28.0a4
0.28.0
0.28.1
0.28.2a1
0.28.2a2
0.29.0
0.30.0a1
0.30.0a2
0.30.0a3
0.30.0a4
0.30.0a6
0.30.0
0.31.0a1
0.31.0
0.32.0a1
0.32.0a2
0.32.0
0.33.0a1
0.33.0a3
0.33.0
0.33.1
0.33.2
0.33.3
0.33.4
0.33.5
0.33.6
0.33.7
0.33.8
0.34.1
0.34.3
0.34.4
0.34.5
0.34.6
0.34.7
0.35.0
0.35.1
0.35.2
0.36.0
0.36.1
0.36.2
0.36.3
0.36.4
0.36.5
0.37.0
0.37.1
0.37.2
0.37.3
0.38.0
0.38.1
0.38.2
0.39.0
0.39.1
0.39.2
0.39.3
0.39.4
0.40.0
0.41.0
0.41.1
0.42.0
0.42.1
0.42.2
0.43.0
0.43.1
0.44.0
0.44.3
0.44.4
0.45.0
0.45.1
0.45.2
0.45.3
0.45.4
0.46.0
0.46.1
0.47.0
0.48.0

Database specific

source 
"https://github.com/pypa/advisory-database/blob/main/vulns/agenta/PYSEC-2026-6.yaml"