Cohere Terrarium Sandbox Escape (CVE-2026-5752, CVSS 9.3) Enables Root Code Execution in Agent Runtimes
A critical sandbox escape vulnerability in Cohere AI’s open-source Terrarium Python sandbox allows attackers to execute arbitrary commands as root inside the container and potentially escape to the host. CVE-2026-5752, rated CVSS 9.3, was publicly disclosed on April 21, 2026. The project is no longer actively maintained, and CERT/CC confirmed it was unable to coordinate a patch with the vendor.
The Vulnerability
Terrarium is a Docker-deployed Python sandbox used for running untrusted code generated by users or LLMs. It runs on Pyodide, a Python distribution compiled to WebAssembly for browser and Node.js environments. The project has 312 GitHub stars and 56 forks.
The root cause is a JavaScript prototype chain traversal in the Pyodide WebAssembly environment. According to CERT/CC, the mock document object in Terrarium’s service.ts is created using a standard JavaScript object literal, which inherits properties from Object.prototype. Sandboxed code can traverse up the prototype chain to the function constructor, create a function returning globalThis, and from there access Node.js internals including require().
The result: an attacker breaks out of the sandbox and runs arbitrary system commands as root.
Impact Scope
Successful exploitation enables access to sensitive files (including /etc/passwd and environment variables), lateral movement to other services on the container’s network (databases, internal APIs), and potential container escape with further privilege escalation, per CERT/CC.
SentinelOne noted that “the sandbox fails to adequately prevent access to parent or global object prototypes, allowing sandboxed code to reference and manipulate objects in the host environment.”
The attack requires local access but no user interaction or special privileges. Security researcher Jeremy Brown discovered and reported the flaw using AI-assisted vulnerability research, according to The Hacker News.
No Patch Available
Because Terrarium is no longer actively maintained, CERT/CC recommends mitigations rather than a fix: disable user code submission features, segment networks to prevent lateral movement, deploy WAF rules, monitor container activity, and restrict access to authorized personnel. Applications still running Terrarium for agent code execution should treat this as an active, unpatched risk.
The Pattern for Agent Builders
This is the third agent runtime security vulnerability disclosed in April 2026, following the Paperclip CVSS 9.8 RCE and the FastGPT NoSQL injection chain. The common thread across all three: agent platforms that execute untrusted code rely on sandbox isolation as their primary security boundary, and that boundary keeps failing.
The specific technique here, prototype chain traversal via Pyodide’s WebAssembly environment, applies to any sandbox using Pyodide or similar JavaScript-to-Python bridges. Teams running sandboxed agent code execution should audit whether their isolation model prevents prototype chain access to host-level objects, regardless of which sandbox framework they use.