Vulnerability  ·  2026-07-11

Langroid TableChatAgent/VectorStore — Sandbox Escape to Remote Code Execution via Incomplete eval() Mitigation (CVSS 10.0)

VulnerabilityHigh impactGlobalCVE-2026-54769
Langroid, a framework for building LLM-powered applications, is vulnerable to sandbox escape/RCE in TableChatAgent.pandas_eval() and VectorStore.compute_from_docs(). Both attempted to sandbox LLM-generated code execution by setting eval()'s locals to an empty dict, but did not scrub __builtins__ from globals, so Python implicitly injects all builtins — granting full access to functions like __import__('os').system(). Since these agents natively execute LLM-generated tool messages, any prompt injection reaching the agent (direct or indirect via RAG-ingested content) can achieve full RCE. Fixed in 0.65.2.
CVSS 10.0 — this is a complete sandbox-escape RCE in a widely-used LLM agent framework, exploitable purely through prompt injection with no additional authentication required. Because TableChatAgent and VectorStore are core, commonly-used Langroid capabilities, any application built on unpatched Langroid that lets an LLM's own output reach these code paths is trivially compromised by content the model reads (e.g., a poisoned document in a RAG pipeline).
Prompt injection (direct or indirect via RAG content) causes LLM to emit tool-call payloads that reach TableChatAgent.pandas_eval() or VectorStore.compute_from_docs(), where incomplete eval() sandboxing allows arbitrary Python/OS command execution
Langroid (pip package) < 0.65.2
Upgrade to Langroid ≥0.65.2
GitLab Advisory DatabaseTenable
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →