CVE-2026-54769 PUBLISHED

Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent

Assigner: GitHub_M
Reserved: 15.06.2026 Published: 09.07.2026 Updated: 10.07.2026

Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its TableChatAgent and VectorStore capabilities. When these agents evaluate LLM-generated tool messages with full_eval=True, they attempt to sandbox the execution by explicitly setting locals to an empty dictionary {} inside Python's eval() function. However, this relies on an incomplete understanding of Python's execution model. Because __builtins__ is not explicitly scrubbed from the globals dictionary mapping, Python implicitly injects all built-ins during execution, granting full access to functions like __import__('os').system(). Since TableChatAgent.pandas_eval() executes external LLM outputs natively, this bypass permits any attacker providing prompt payload to achieve unauthenticated RCE on the host system. Version 0.65.2 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Product Status

Vendor langroid
Product langroid
Versions
  • Version < 0.65.2 is affected

References

Problem Types

  • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE