External risk intelligence

Agno Arbitrary Code Execution via Field Type Manipulation

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-35002

Agno is a framework used to build AI agents and applications that are commonly deployed as web services or API endpoints. Since the vulnerability exists in the model execution component reachable via external function calls, these applications are frequently exposed to the internet as part of their standard operation as public-facing or application-integrated services.

Remote Code Execution

Agno

before 2.3.24

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Agno software allows for arbitrary code execution by manipulating a specific parameter during model execution. The issue arises from the improper handling of the `field_type` parameter, which, when exploited, can lead to remote code execution. The main concern is confirming the relevance and exposure of Agno products within our environment.

  • Code execution flaw in Agno software.
  • Exploitable remotely via manipulated function calls.
  • Confirm Agno relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable Agno application. By manipulating the `field_type` parameter within a FunctionCall, they could trick the model execution component into running arbitrary Python code. This could allow them to take control of the affected system.

  • No authentication required.
  • Manipulate `field_type` parameter in `FunctionCall`.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow attackers to execute arbitrary Python code within the Agno system. This can occur when an attacker manipulates the `field_type` parameter in a `FunctionCall`, potentially leading to unauthorized code execution on the server.

  • System-level code execution.
  • Remote code injection via manipulated input.
  • Compromise of service integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects the Agno product, likely managed by application owners and potentially the platform or infrastructure teams responsible for its deployment. The first critical step is to inventory all instances of Agno, verify their exposure and business criticality, and identify the accountable owner. Remediation planning should then prioritize based on these findings, considering vendor coordination and maintenance windows for applying the fix.

  • Identify Agno instances and owners.
  • Verify exposure and business criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Agno and what is it used for?

Agno is an open-source framework designed for building and deploying AI agents and applications. Developers use it to orchestrate model execution, manage data flow between different tools, and create interactive AI services. Because it supports complex function calls and dynamic data handling, it is often embedded into web services or API backends to power intelligent features.

What does CVE-2026-35002 mean for system security?

This vulnerability is classified as Improper Neutralization of Directives in Dynamically Evaluated Code (CWE-95). In plain English, the system uses a dangerous function—eval()—to process user-supplied input. Because the software fails to sanitize the 'field_type' parameter, an attacker can supply their own Python commands, which the server will execute with the same privileges as the application itself.

How can an attacker trigger this vulnerability?

An attacker triggers the bug by sending a crafted request that influences the 'field_type' parameter within a FunctionCall. It is important to note that sending standard, legitimate requests that do not attempt to inject Python syntax into this parameter will not trigger the flaw. The risk specifically arises from inputs designed to break out of the expected data structure to force the execution of arbitrary code.

Is my instance of Agno at risk?

According to Halo Surface Signal, this vulnerability is particularly relevant if your Agno deployment is internet-facing. Because Agno is commonly used to build web services and public-facing APIs, the model execution component is often reachable by unauthorized external users. If your specific application accepts function call inputs from the network, it should be considered highly accessible to this threat.

What should I do first to address CVE-2026-35002?

Your first step is to perform an inventory of all Agno instances within your environment to identify which versions are running. Once you have a list of deployments, confirm their connectivity and prioritize those that are exposed to external traffic. Reach out to the application owners to schedule an update to version 2.3.24 or higher, as this release contains the necessary code changes to properly handle the field_type parameter.

References