External risk intelligence

Langroid Sandbox Escape via Incomplete `eval()` Sanitization Allows RCE

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-54769

Langroid is a developer framework. While this vulnerability allows RCE via LLM-generated tool messages, the framework itself is a library integrated into custom applications. Whether this exposure is internet-facing depends entirely on how a developer implements the agent within their specific application, making public exposure possible but not inherent to the framework itself.

Code Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Langroid framework, specifically within its `TableChatAgent` and `VectorStore` capabilities, that could allow for remote code execution. The issue arises from an incomplete sanitization process when evaluating LLM-generated tool messages, potentially enabling an attacker to execute arbitrary code on the host system. While the framework itself is a developer tool, its implementation in applications could expose this vulnerability.

  • Allows code execution via application inputs.
  • Relevant if using LLM agents that evaluate external messages.
  • Confirm if LLM agent evaluations are exposed externally.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted message to a Langroid application that uses vulnerable `TableChatAgent` or `VectorStore` capabilities. If the application processes LLM-generated tool messages with specific evaluation settings, the attacker's input could bypass security controls within the `eval()` function, leading to arbitrary code execution on the host system.

  • Unauthenticated network access required.
  • Malicious LLM-generated tool messages trigger vulnerability.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Langroid's `TableChatAgent` and `VectorStore` capabilities could allow an attacker to execute arbitrary code on the host system. This occurs when LLM-generated tool messages are evaluated with `full_eval=True`, as the sandboxing mechanism does not adequately prevent access to built-in Python functions. This could lead to unauthenticated Remote Code Execution when supported by the advisory.

  • Host system code execution.
  • LLM tool messages bypass sandbox.
  • Unauthenticated remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical Sandbox Escape vulnerability in Langroid's `TableChatAgent` and `VectorStore` capabilities requires immediate attention from the development teams responsible for LLM-powered applications. Owners of these applications must first identify all instances of Langroid versions prior to 0.65.2, determine their exposure, and prioritize remediation based on business criticality and reachability. This often involves collaboration between application owners, platform teams, and potentially security operations for risk assessment and coordinated patching or mitigation.

  • Application developers own the issue.
  • Verify all Langroid agent deployments.
  • Plan remediation and coordinate vendor fixes.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Langroid?

Langroid is a Python-based framework designed for developers to build applications powered by large language models (LLMs). It provides abstractions for agents that can interact, process data, and execute tasks. By utilizing components like TableChatAgent and VectorStore, developers can integrate LLM capabilities into their custom software projects to handle complex data analysis or storage workflows.

What is the nature of CVE-2026-54769?

This vulnerability is classified as Improper Control of Generation of Code, or CWE-94. It occurs because the framework's attempt to restrict the execution environment using Python's eval() function is insufficient. By failing to remove access to built-in Python functions, the sandbox can be bypassed, allowing untrusted code to run on the underlying host system instead of being safely contained.

How is this sandbox escape triggered?

The issue is triggered when the application processes LLM-generated tool messages with the full_eval setting enabled. An attacker provides a crafted message that the agent executes; if full_eval is false, this specific injection path is not active. The vulnerability specifically relies on the framework's incomplete scoping of the execution environment, which permits unauthorized system-level commands to be executed.

Do I need to worry about this vulnerability?

If you use Langroid, you must assess how your application handles LLM-generated tool messages. According to Halo Surface Signal, because Langroid is a library, the risk depends on your specific implementation. If your application exposes these agent capabilities to network inputs or internet-facing prompts, the potential for unauthorized code execution is significantly higher than in a purely internal or isolated testing environment.

How do I secure my Langroid application?

The primary response is to update your project's Langroid dependency to version 0.65.2 or later, which contains the fix for the sandbox escape. As a developer, audit your codebase to locate where TableChatAgent or VectorStore components are implemented. Ensure that any version prior to the patch is replaced immediately to prevent the execution of malicious LLM-generated tool messages.

References