Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape

Summary

A critical vulnerability (CVE-2026-5752, CVSS 9.3) in Cohere AI's open-source Terrarium Python sandbox allows arbitrary code execution with root privileges through JavaScript prototype chain traversal in the Pyodide WebAssembly environment. The flaw enables attackers with local access to escape the sandbox, execute system commands as root, access sensitive files, and potentially escape the container entirely. Since the project is no longer actively maintained, patching is unlikely; CERT/CC recommends disabling user code submission, network segmentation, and enhanced monitoring.

Full text

Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape Ravie LakshmananApr 22, 2026Vulnerability / Container Security A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to a description of the flaw in CVE.org. Developed by Cohere AI as an open-source project, Terrarium is a Python sandbox that's used as a Docker-deployed container for running untrusted code written by users or generated with assistance from a large language model (LLM). Notably, Terrarium runs on Pyodide, a Python distribution for the browser and Node.js, enabling it to support standard Python packages. The project has been forked 56 times and starred 312 times. According to the CERT Coordination Center (CERT/CC), the root cause relates to a JavaScript prototype chain traversal in the Pyodide WebAssembly environment that enables code execution with elevated privileges on the host Node.js process. Successful exploitation of the vulnerability can allow an attacker to break out of the confines of the sandbox and execute arbitrary system commands as root within the container. In addition, it can permit unauthorized access to sensitive files, such as "/etc/passwd," reach other services on the container's network, and even possibly escape the container and escalate privileges further. It bears noting that the attack requires local access to the system but does not require any user interaction or special privileges to exploit. Security researcher Jeremy Brown has been credited with discovering and reporting the flaw. Given that the project is no longer actively maintained, the vulnerability is unlikely to be patched. As mitigations, CERT/CC is advising users to take the following steps - Disable features that allow users to submit code to the sandbox, if possible. Segment the network to limit the attack surface and prevent lateral movement. Deploy a Web Application Firewall to detect and block suspicious traffic, including attempts to exploit the vulnerability. Monitor container activity for signs of suspicious behavior. Limit access to the container and its resources to authorized personnel only. Use a secure container orchestration tool to manage and secure containers. Ensure that dependencies are up-to-date and patched. "The sandbox fails to adequately prevent access to parent or global object prototypes, allowing sandboxed code to reference and manipulate objects in the host environment," SentinelOne said. "This prototype pollution or traversal technique bypasses the intended security boundaries of the sandbox." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  arbitrary code execution, Container Security, cybersecurity, Docker, node.js, Python, Vulnerability, WebAssembly Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

• cve — CVE-2026-5752

Entities