Home / Vulnerability Intelligence / CVE-2026-27952

CVE-2026-27952 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

Agenta Agenta-API - Command Injection

Published: February 26, 2026Updated: February 27, 2026Remote Exploitable

Overview

Agenta Agenta-API < 0.48.1 contains a command injection caused by improper sandboxing of user-supplied code via whitelisted numpy package, letting authenticated users execute arbitrary code on the API server, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 7.1%(Probability of exploitation in next 30 days)

Impact

Authenticated users can execute arbitrary code on the API server, leading to full server compromise.

Mitigation

Update to version 0.48.1 or later.

References

https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-27952 - High (8.8) Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator co... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27952/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27952
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: unconfirmed
EPSS: 7.1%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.1%Probability of exploitation in the next 30 days