CVE-2026-5752: Cohere AI Terrarium Sandbox Flaw Allows Root Code Execution and Container Escape — No Patch Coming - CyberTimes

TL;DR — 15 Second Read

→CVE-2026-5752 is a CVSS 9.3 critical sandbox escape vulnerability in Terrarium, an open-source Python sandbox developed by Cohere AI and used to run untrusted user-submitted or LLM-generated code inside a Docker container — allowing an attacker to break out of the sandbox and execute arbitrary system commands as root.
→The flaw exploits JavaScript prototype chain traversal in the Pyodide WebAssembly environment that Terrarium runs on, enabling sandboxed code to access and manipulate the host Node.js process — bypassing all intended security isolation boundaries without requiring any user interaction or special privileges.
→Beyond root code execution inside the container, successful exploitation can expose sensitive files like /etc/passwd, reach other services on the container's network, and potentially allow full container escape — giving an attacker access to the underlying host system or adjacent containers.
→The Terrarium project is no longer actively maintained by Cohere AI — meaning this critical vulnerability will never receive a patch. Any deployment of Terrarium must be immediately disabled or isolated, as no fix is forthcoming from the vendor.

Severity🔴 CRITICAL

CVSS Score9.1/10

ExploitedNo

Fix StatusPatch available

If you use or self-host Cohere AI's Terrarium sandbox for running user-submitted or LLM-generated Python code in any version — all versions are vulnerable and no patch will ever be released

A critical security vulnerability in Cohere AI's open-source Python sandbox, Terrarium, has been publicly disclosed — and the most alarming aspect is not the CVSS 9.3 severity score. It is that the project has been abandoned, the vulnerability will never be patched, and any organisation still using Terrarium to run untrusted code is permanently exposed with no vendor fix on the horizon.

CVE-2026-5752 allows an attacker to escape the Terrarium sandbox entirely and execute arbitrary system commands as the root user inside the host container — a complete bypass of the isolation guarantee that the entire tool exists to provide. For AI developers, data science teams, and cybersecurity professionals who have integrated Terrarium into any workflow that processes user-submitted or LLM-generated Python code, this is an immediate and permanent risk that requires disabling the tool rather than waiting for a patch that will never arrive.

Affected products

·Cohere AI Terrarium — all versions (no patch available, project abandoned) Any system using Terrarium to execute user-submitted or LLM-generated Python code

How to Fix

Step-by-step remediation

Since no patch is available or forthcoming, the only real remediation is removing Terrarium from your stack. The immediate priority is disabling user code submission to the sandbox — this cuts off the attack vector entirely regardless of whether the underlying vulnerability is addressed.

For teams that need to continue running untrusted Python code, evaluate these actively maintained alternatives:

Firecracker microVMs (AWS open-source): hardware-level virtualisation for untrusted code execution with strong isolation guarantees. Used in production by AWS Lambda and Fargate.

gVisor (Google open-source): a user-space kernel that intercepts and mediates all system calls from the sandboxed process, providing strong isolation without full virtualisation overhead.

Pyodide in a strict browser sandbox: if your use case is running Python client-side, Pyodide in a browser context has significantly stronger sandbox boundaries than the Node.js server-side deployment Terrarium uses.

For the transition period while you evaluate replacements: apply all five mitigation steps in the How to Fix section — network segmentation is the most impactful of these, as it limits what an attacker who has already exploited root execution inside the container can reach. Ensure the container has zero access to cloud metadata endpoints (block 169.254.169.254), internal databases, and credential stores.

Audit your container orchestration security policies: remove CAP_SYS_ADMIN and all other elevated capabilities from Terrarium containers, mount the container filesystem as read-only where possible, and use seccomp profiles to restrict the system calls the container process can make.

What happened

Terrarium is a Python sandbox built by Cohere AI to run untrusted code — specifically, code submitted by users or generated by large language models — inside a containerised environment. It runs on Pyodide, a Python distribution that executes Python code through a WebAssembly runtime inside Node.js, which in theory should create multiple layers of isolation between untrusted code and the host system.

CVE-2026-5752 defeats all of those isolation layers through a JavaScript prototype chain traversal attack. In JavaScript, every object inherits from a prototype chain that ultimately reaches Object.prototype — the root of all JavaScript objects. The flaw in Terrarium's sandbox implementation is that it fails to adequately prevent sandboxed code from accessing and traversing up this prototype chain to reach parent and global object prototypes in the host environment. By manipulating these host-level objects, the attacker breaks out of Pyodide's WebAssembly sandbox boundary and gains the ability to execute code in the Node.js host process context — with root privileges.

The attack requires local access to the system — meaning the attacker must be able to submit code to the sandbox — but requires no user interaction, no authentication, and no special privileges beyond being able to reach the Terrarium endpoint. In any deployment scenario where Terrarium is used to execute user-submitted code, any user with submission access can trigger this flaw.

Real-World Impact

The consequences of successful exploitation cascade through multiple layers. First, the attacker gains root code execution inside the Docker container — the ability to run any command as the most privileged user in that environment. From there, they can read sensitive files including /etc/passwd and any secrets, credentials, or configuration files accessible within the container's filesystem. They can reach other services on the container's internal network — databases, API services, message queues — that assume container network access implies trust. And depending on the container's security configuration, they may be able to escape the container entirely and access the underlying host system.

For AI development teams, the threat model is particularly concerning. Terrarium was designed specifically for the use case of running LLM-generated code — exactly the scenario where untrusted, potentially malicious code is most likely to appear. A prompt injection attack that causes an LLM to generate a Terrarium exploit payload rather than legitimate code would execute entirely within the normal application flow, with no anomalous user behaviour to detect. The attack surface is the feature itself.

The data security and network security implications extend beyond the immediate container. Any secrets injected into the container environment — API keys, database credentials, cloud provider tokens — must be considered compromised on any system that ran user-submitted code through Terrarium. The container's network adjacency to other services means those services should be treated as potentially reachable by an attacker who has exploited this flaw.

Technical Details

The vulnerability's root cause is insufficient isolation between the Pyodide WebAssembly sandbox environment and the host Node.js runtime. Pyodide runs Python code by compiling it to WebAssembly and executing it within a JavaScript runtime context. To interact with JavaScript objects from Python, Pyodide exposes a bridge interface that allows Python code to reference JavaScript objects. The flaw is that this bridge does not adequately restrict prototype chain access. JavaScript's prototype system means that any object can traverse upward to Object.prototype through __proto__ or constructor.prototype references. By accessing these from sandboxed Python code via Pyodide's bridge, an attacker can reference the global Node.js process object — specifically process.mainModule or require — and from there load arbitrary Node.js modules and execute OS commands using child_process.exec or equivalent. This class of vulnerability — prototype pollution or traversal enabling sandbox escape — has appeared in multiple Node.js-based sandboxes including vm2, vm-sandbox, and others. The pattern is well-understood by security researchers: any JavaScript-based sandbox that does not explicitly block prototype chain traversal is likely vulnerable to this class of attack. CERT/CC's advisory (VU#414811) confirms the root cause aligns with this known vulnerability pattern. The attack requires no special system privileges because the Node.js process running Terrarium already has the permissions it was started with — and in Docker deployments where the container runs as root (a common default), the attacker immediately inherits root privileges upon sandbox escape.

🛡️ Prevention Tips

Never deploy a code execution sandbox in production without a clear answer to "what happens when the sandbox is bypassed?" Sandboxing provides isolation, not immunity — every sandbox has a threat model, and that threat model should include the possibility of bypass. Terrarium's threat model assumed Pyodide's WebAssembly boundary was sufficient. It wasn't.

Apply the principle of defence in depth to all LLM-integrated code execution pipelines. Even if you trust the sandbox, add network segmentation, resource limits, filesystem restrictions, and monitoring as independent containment layers. When one layer fails — and eventually one will — the others limit the blast radius.

Treat abandoned open-source dependencies in security-critical roles with the same urgency as unpatched CVEs. A library that handles untrusted code execution and has not received security updates in months is a vulnerability waiting to be discovered. Audit your AI infrastructure's dependencies regularly and flag anything that handles untrusted input and has gone stale.

Monitor container activity continuously in any deployment that executes user-submitted or LLM-generated code. Anomalous process spawning, unexpected file reads, and unusual outbound network connections are the indicators of a sandbox bypass in progress. By the time a bypass reaches root code execution, passive monitoring of application-level inputs is too late.

FAQs

Is there a patch available for CVE-2026-5752 in Cohere AI Terrarium?

No, and there will not be one. The Terrarium project is no longer actively maintained by Cohere AI. CERT/CC has confirmed the vulnerability is unlikely to be patched. Any deployment of Terrarium must be treated as permanently vulnerable — the only remediation is disabling the tool and migrating to an actively maintained alternative.

I use Terrarium only on an internal network, not internet-facing. Am I still at risk?

Yes, significantly. The vulnerability requires local access to submit code to the sandbox — any user who can reach the Terrarium endpoint on your internal network can exploit this flaw. Internal network users, compromised accounts, or malicious LLM-generated code in an automated pipeline could all trigger the vulnerability without needing internet-facing exposure.

What does "container escape" mean in practical terms for this vulnerability?

Container escape means the attacker moves from code execution inside the Docker container to code execution on the underlying host machine or access to adjacent containers in the same Docker network. In cloud environments, this can mean access to cloud metadata APIs, instance credentials, and the broader cloud account. The severity depends on your container's network segmentation and whether the host has additional isolation measures in place.

Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes

npm · strapi

36 Malicious npm Packages Disguised as Strapi Plugins Exploit Redis and PostgreSQL to Deploy Persistent Implants and Reverse Shells

adobe acrobat · adobe reader

CVE-2026-34621: Adobe Releases Emergency Patch for Actively Exploited Acrobat Reader Flaw — Update Now

cve 2026 34040 · docker

CVE-2026-34040: Docker AuthZ Plugin Bypass Lets Attackers Escape Containers and Gain Full Host Access — AI Agents Can Trigger It Automatically

openai · chatgpt

OpenAI Patches Two Critical Vulnerabilities: ChatGPT Data Exfiltration via Side Channel and Codex Command Injection Exposing GitHub Tokens

#cohere-ai #terrarium #sandbox-escape #container-security #pyodide #prototype-pollution #docker #cybersecurity #information-security #ai-security

Last updated: April 22, 2026

← Back to all threats About CyberTimes