CVE-2026-54769: Langroid Sandbox Escape to RCE
TL;DR - Critical RCE in
langroidaffects versions<= 0.65.1. - Risk is highest whereTableChatAgentorVectorStoreusefull_eval=True. - Upgrade to0.65.2immediately; public PoC exists, but in-the-wild exploitation is not confirmed.
Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-54769 |
| CVSS | 10.0 Critical |
| Attack vector | Network |
| Auth required | None |
| Patch available | Yes, upgrade to 0.65.2 |
This issue affects the Python package langroid, a framework used to build LLM-powered applications. The vulnerability is a sandbox escape that can lead to remote code execution when certain Langroid components evaluate LLM-generated expressions with full_eval=True.
For defenders, the practical concern is not just that eval() was present, but that Langroid workflows may allow model output, prompt-injected content, or tool-generated expressions to reach vulnerable evaluation paths. In exposed application designs, that can turn untrusted prompt content into host-level command execution.
What Is This Vulnerability?
CVE-2026-54769 is a code injection flaw rooted in unsafe use of Python eval(). In vulnerable Langroid versions, the affected code evaluated expressions using a pattern equivalent to:
eval(code, vars, {})
The implementation assumed that passing an empty locals dictionary created a restricted evaluation environment. That assumption is incorrect. In Python, if __builtins__ is not explicitly constrained in the globals mapping, built-in functionality remains accessible during evaluation. That means attacker-controlled input can still reach dangerous capabilities such as module import and command execution.
In practice, the issue becomes severe when Langroid components process model-generated expressions under full_eval=True. The advisory specifically identifies vulnerable code paths in TableChatAgent.pandas_eval() and VectorStoreBase.compute_from_docs(). If an attacker can influence the model output directly or indirectly through prompt injection, they may coerce the application into evaluating malicious expressions such as:
__import__('os').system('id')
This maps to CWE-94: Improper Control of Generation of Code (‘Code Injection’). The impact can include arbitrary command execution, data theft, unauthorized access to local files or connected services, and full compromise of the host, depending on the privileges of the Langroid process.
Technical Notes
The fixed release notes state that version 0.65.2 replaced the unsafe evaluation model with a stricter globals dictionary via safe_eval_globals(local_vars). That helper limits __builtins__ to a curated safe subset and blocks access to dangerous functions including __import__, eval, exec, open, compile, globals, vars, and getattr.
A simplified view of the vulnerable pattern versus the patched approach looks like this:
# Vulnerable concept
eval(user_or_model_controlled_expr, vars, {})
# Patched concept
safe_globals = safe_eval_globals(local_vars)
eval(user_or_model_controlled_expr, safe_globals, {})
Who Is Affected?
The affected product is the langroid Python package in the pip ecosystem. According to the GitHub Security Advisory metadata and release information, the vulnerable version range is <= 0.65.1, which aligns with the NVD description of versions prior to 0.65.2.
The fixed version is 0.65.2. If you are running langroid 0.65.1 or any earlier release, and your application uses either TableChatAgent or VectorStore in a way that allows full_eval=True, you should treat the system as exposed until upgraded or otherwise mitigated.
The affected code paths called out in the advisory are:
TableChatAgent.pandas_eval()VectorStoreBase.compute_from_docs()
Exposure is especially relevant for teams building LLM applications where external users, retrieved content, documents, or agent instructions can influence model output. Even if your deployment is not internet-facing, internal prompt injection or hostile document content could still trigger the vulnerable behavior if those features are enabled.
Technical Notes
You can identify the installed package version with standard Python package tooling:
python -m pip show langroid
Or enumerate directly from an environment:
python - <<'PY'
import importlib.metadata
print(importlib.metadata.version("langroid"))
PY
To quickly search a codebase for high-risk configurations and affected APIs:
grep -RInE "full_eval\s*=\s*True|TableChatAgent|VectorStore" .
CVSS Score Breakdown
The CVSS v3.1 vector for this issue is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
That translates to a 10.0 Critical score. The Attack Vector (AV:N) rating means exploitation can occur over the network in realistic deployments, such as LLM-backed services exposed through web APIs or chat interfaces. Attack Complexity (AC:L) is low because the vulnerable behavior does not require bypassing complex environmental constraints once untrusted content can influence the evaluation path.
Privileges Required (PR:N) and User Interaction (UI:N) are both set to none, which reflects the advisory’s view that an attacker does not need an authenticated account or a victim clicking through a prompt. In exposed applications, malicious input can reach the model and trigger code execution without additional user steps.
The Scope (S:C) value indicates impact can cross a security boundary, which is appropriate when prompt-driven application logic reaches host execution. The impact on Confidentiality, Integrity, and Availability is rated high across the board because successful exploitation could expose secrets, alter system state, or disrupt the host or service.
For administrators, the key takeaway is that this is not a theoretical code smell being scored aggressively. The advisory includes a working exploit example, the vulnerable behavior is straightforward to understand, and the fix is available. Even without confirmed mass exploitation, the score supports immediate remediation.
Exploitation Status
A public proof of concept exists. The GitHub Security Advisory includes an exploit example showing a vulnerable TableChatAgentConfig(..., full_eval=True, ...) setup and a malicious payload using:
__import__('os').system('touch /tmp/rce_success_table')
The advisory also describes a prompt-injection route to coerce model behavior into the vulnerable tool path. That is enough to classify the issue as having a documented public PoC, not merely a speculative vulnerability write-up.
At the time of writing, in-the-wild exploitation is not confirmed in the reviewed primary sources. The CVE is not listed in CISA KEV, and the available advisory and NVD records do not state that operational exploitation has been observed. That does not reduce urgency for exposed Langroid-based services. Public exploit details lower the barrier to weaponization, especially for internet-reachable AI applications that process untrusted prompts or retrieved content.
If you do not know whether full_eval=True is used anywhere in production, the safer assumption is that exposure may exist until verified. Because the exploit path depends on application design, defenders should treat unknown usage as a configuration discovery and incident triage problem, not as proof of safety.
Technical Notes
A representative PoC payload from the advisory pattern is:
__import__('os').system('touch /tmp/rce_success_table')
From a threat-model perspective, defenders should assume variants may use other built-ins or shell constructs to:
- run reconnaissance commands such as
id,uname -a, orwhoami - fetch second-stage payloads
- access local files, API keys, or cloud metadata
- tamper with retrieved documents, vector data, or application state
How to Detect It
Detection should focus on two areas: vulnerable configuration and evidence of malicious evaluation. Start by inventorying systems with langroid <= 0.65.1, then determine whether TableChatAgent or VectorStore paths can evaluate model-generated expressions with full_eval=True. In many environments, the biggest blind spot is that the package may be present in development, notebooks, or internal AI services rather than traditional production application inventories.
Because the attack path uses Python expression evaluation, logs may not always show a neat “exploit attempt” event. You may need to correlate unusual application behavior, shell execution by the Python process, unexpected file creation, or outbound network connections from the service host shortly after untrusted prompt or document processing.
Technical Notes
Search source and config for dangerous settings:
grep -RInE "full_eval\s*=\s*True" /opt /srv /app 2>/dev/null
Look for likely exploit strings in application logs, prompt traces, or debug captures:
grep -RInE "__import__\(|os\.system\(|exec\(|eval\(|open\(" /var/log /srv/app/logs 2>/dev/null
If your EDR or SIEM captures Linux process events, a useful analytic is a Python parent process spawning a shell or command interpreter. Example Sigma-style logic concept:
title: Python Process Spawning Shell After Langroid Activity
logsource:
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '/python'
- '/python3'
selection_child:
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
condition: selection_parent and selection_child
A simple Splunk-style query for suspicious command execution from Python processes:
index=edr (parent_process_name=python OR parent_process_name=python3)
(child_process_name=sh OR child_process_name=bash OR child_process_name=dash)
| stats count by host, parent_process_name, child_process_name, process_command_line, parent_process_command_line
On Linux hosts, check for the advisory’s example artifact if you suspect testing or exploitation:
find /tmp -maxdepth 1 -name 'rce_success_table' -ls
These indicators are not definitive on their own, but they provide concrete starting points for triage.
Mitigation and Patching
The primary fix is to upgrade langroid to version 0.65.2. That is the version explicitly identified as patching CVE-2026-54769. If you are running any version in the vulnerable range <= 0.65.1, upgrading should be your first action.
If you cannot patch immediately, reduce exposure by identifying and disabling any code path that sets full_eval=True, especially in TableChatAgent and VectorStore workflows. Also review where untrusted prompt content, retrieved documents, or tool-call suggestions can influence expressions evaluated by the application. Temporary mitigations are compensating controls, not substitutes for the fixed release.
Teams should also consider runtime hardening because successful exploitation leads to host-level code execution. Run the service with least privilege, isolate it in a container or constrained runtime, restrict filesystem access, block unnecessary outbound network access, and monitor for Python-driven shell execution. Those controls will not remove the vulnerability, but they can reduce blast radius if exposure exists.
Technical Notes
Upgrade with pip:
python -m pip install --upgrade "langroid==0.65.2"
If you use a requirements file, pin the fixed version explicitly:
langroid==0.65.2
Then reinstall:
python -m pip install -r requirements.txt
If immediate patching is not possible, search and disable risky configurations:
grep -RIn "full_eval=True" .
Example mitigation concept in application code: ensure full_eval is not enabled for untrusted or model-influenced expressions.
# Avoid enabling full_eval where model output or user content is involved
cfg = TableChatAgentConfig(
# full_eval=False is the safer temporary stance if functionality allows it
full_eval=False,
)
After patching, verify the installed version:
python -m pip show langroid | grep ^Version
If you operate a production AI stack, follow the patch with a short threat hunt for suspicious child processes spawned by Python, odd temp-file creation, and unexpected outbound connections from the service host.
References
Primary advisory material confirms the vulnerable version range, CVSS vector, public PoC status, and fixed release. Use the GitHub Security Advisory and the release notes as the authoritative remediation sources, with NVD as a tracking and scoring reference.
Because this CVE is not currently listed in CISA KEV, there is no KEV due date or federal remediation directive attached. Defenders should not treat that absence as a sign of low risk. For internet-exposed or prompt-injection-prone AI applications, the combination of critical severity and a public PoC is enough to justify expedited patching.
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-54769
- GitHub Security Advisory: https://github.com/langroid/langroid/security/advisories/GHSA-q9p7-wqxg-mrhc
- GitHub Advisory API record: https://api.github.com/repos/langroid/langroid/security-advisories/GHSA-q9p7-wqxg-mrhc
- Langroid release
0.65.2: https://github.com/langroid/langroid/releases/tag/0.65.2
For further information on security best practices, you may want to check our FAQ on SSO and learn about Operational Technology Network Segmentation.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.