Terrarium sandbox escape RCE (CVE-2026-5752)
Vulnerability
Summary
Hide ▲
Show ▼
A critical Terrarium sandbox-escape flaw, CVE-2026-5752, can let local attackers execute code as root and break out of the container. The weakness is tied to JavaScript prototype chain traversal in the Pyodide WebAssembly environment and can expose sensitive files such as /etc/passwd. The issue carries a 9.3 CVSS score, requires only local access, and is unlikely to be patched because the project is no longer actively maintained.
Related Happenings
ChromaDB Python API exposure mitigation (CVE-2026-45829)
Advisory/Mitigation
First: 20.05.2026 01:25
Last: 20.05.2026 01:25
Sources 1
About this happening:
**HiddenLayer** urged **ChromaDB** users to harden exposed deployments because **CVE-2026-45829** can still enable code execution on the **Python FastAPI** server. Until patch sta...
ChromaDB Python API exposure mitigation (CVE-2026-45829)
Advisory/MitigationAbout this happening: **HiddenLayer** urged **ChromaDB** users to harden exposed deployments because **CVE-2026-45829** can still enable code execution on the **Python FastAPI** server. Until patch sta...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/Mitigation
First: 22.04.2026 10:16
Last: 22.04.2026 10:16
Sources 1
How related:
As mitigations, CERT/CC is advising users to take the following steps -
About this happening:
**CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/MitigationHow related: As mitigations, CERT/CC is advising users to take the following steps -
About this happening: **CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Timeline
-
22.04.2026 10:16 2 articles · 1mo ago
Terrarium sandbox escape CVE-2026-5752 disclosed
Initial DisclosureCohere AI’s Terrarium Python sandbox was disclosed as vulnerable to CVE-2026-5752, a critical flaw rated CVSS 9.3 that can let an attacker with local access achieve arbitrary code execution and root privileges through JavaScript prototype chain traversal in the Pyodide WebAssembly environment. Successful exploitation can break out of the sandbox, reach sensitive files such as /etc/passwd, and potentially escape the container or move laterally within the container network. CERT/CC notes that no user interaction or special privileges are required, and that the project is no longer actively maintained, making patching unlikely; suggested mitigations include disabling user-submitted code, segmenting the network, deploying a Web Application Firewall, monitoring container activity, limiting access, using secure container orchestration, and keeping dependencies patched.
Show sources
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16
- Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape — thehackernews.com — 22.04.2026 10:16