ScoutGet the App

Cohere sandbox vulnerability

Published by The Daily Scout

What happened

- Cohere's Terrarium sandbox contains a high‑severity container escape flaw that allows root code execution. - The bug was tracked as CVE‑2026‑5752 and abuses Pyodide prototype traversal to break isolation. - The flaw appears alongside a new release (melody v0.7.2) and active MLE hiring, raising urgent secure‑compute questions. (thehackernews.com)

Why it matters

A sandbox is supposed to be a locked room for risky code. In Cohere’s Terrarium, researchers disclosed a flaw that can let code break out and run as root. (thehackernews.com) Terrarium is an open-source Python sandbox from Cohere for running untrusted code inside a Docker container, including code written by users or generated by a large language model. Its GitHub page says it was built for low-latency execution and can run on Google Cloud Run. (github.com) The bug is tracked as CVE-2026-5752 and carries a CVSS 3.1 score of 9.3. The National Vulnerability Database and CVE records describe it as a sandbox escape that allows arbitrary code execution with root privileges through JavaScript prototype chain traversal. (nist.gov) Prototype chain traversal is a JavaScript escape hatch: code reaches into shared parent objects instead of staying inside its own fenced-off scope. In this case, the issue sits in Pyodide, the Python-on-WebAssembly runtime Terrarium uses to support packages like NumPy and pandas. (thehackernews.com; github.com) CERT Coordination Center said the flaw can expose files such as `/etc/passwd`, reach other services on the container’s network, and potentially help an attacker push beyond the container. The attack requires local access, but the published description says it needs no user interaction and no special privileges. (thehackernews.com; app.opencve.io) That lands at a moment when sandboxes are doing more work in artificial intelligence products. Tools that let models write and run code depend on the idea that generated code can be isolated from the host system, even when that code handles files, packages, and networked services. (github.com; cohere.com) Cohere’s repository shows a fix was committed on April 22, 2026, with commit messages referencing CVE-2026-5752. The same page also says the repository was archived by the owner on April 22, 2026 and is now read-only, with a warning that it is “no longer maintained.” (github.com) That creates a split picture for users: there is a code change labeled as a fix, but the public repository is also marked unsupported. CERT’s mitigation advice includes disabling user code submission where possible, segmenting networks, monitoring container activity, and keeping dependencies updated. (github.com; thehackernews.com) The disclosure also surfaced as Cohere’s careers page continued advertising work on “secure AI solutions” and listed offices in Toronto, New York, London, San Francisco, Montreal, Paris, and Seoul. The company’s public site says it is building enterprise AI products and managed inference infrastructure for business customers. (cohere.com; cohere.com) For teams using code-execution features, the immediate question is simple: whether the “locked room” is still locked. CVE-2026-5752 turned that from a design assumption into an incident response check. (nist.gov; thehackernews.com)

Key numbers

  • The bug was tracked as CVE‑2026‑5752 and abuses Pyodide prototype traversal to break isolation.
  • The flaw appears alongside a new release (melody v0.7.2) and active MLE hiring, raising urgent secure‑compute questions.
  • (github.com) The bug is tracked as CVE-2026-5752 and carries a CVSS 3.1 score of 9.3.
  • (github.com; cohere.com) Cohere’s repository shows a fix was committed on April 22, 2026, with commit messages referencing CVE-2026-5752.

Sources

Quick answers

What happened in Cohere sandbox vulnerability?

Cohere's Terrarium sandbox contains a high‑severity container escape flaw that allows root code execution. The bug was tracked as CVE‑2026‑5752 and abuses Pyodide prototype traversal to break isolation. The flaw appears alongside a new release (melody v0.7.2) and active MLE hiring, raising urgent secure‑compute questions. (thehackernews.com)

Why does Cohere sandbox vulnerability matter?

A sandbox is supposed to be a locked room for risky code. In Cohere’s Terrarium, researchers disclosed a flaw that can let code break out and run as root. (thehackernews.com) Terrarium is an open-source Python sandbox from Cohere for running untrusted code inside a Docker container, including code written by users or generated by a large language model. Its GitHub page says it was built for low-latency execution and can run on Google Cloud Run. (github.com) The bug is tracked as CVE-2026-5752 and carries a CVSS 3.1 score of 9.3. The National Vulnerability Database and CVE records describe it as a sandbox escape that allows arbitrary code execution with root privileges through JavaScript prototype chain traversal. (nist.gov) Prototype chain traversal is a JavaScript escape hatch: code reaches into shared parent objects instead of staying inside its own fenced-off scope. In this case, the issue sits in Pyodide, the Python-on-WebAssembly runtime Terrarium uses to support packages like NumPy and pandas. (thehackernews.com; github.com) CERT Coordination Center said the flaw can expose files such as /etc/passwd, reach other services on the container’s network, and potentially help an attacker push beyond the container. The attack requires local access, but the published description says it needs no user interaction and no special privileges. (thehackernews.com; app.opencve.io) That lands at a moment when sandboxes are doing more work in artificial intelligence products. Tools that let models write and run code depend on the idea that generated code can be isolated from the host system, even when that code handles files, packages, and networked services. (github.com; cohere.com) Cohere’s repository shows a fix was committed on April 22, 2026, with commit messages referencing CVE-2026-5752. The same page also says the repository was archived by the owner on April 22, 2026 and is now read-only, with a warning that it is “no longer maintained.” (github.com) That creates a split picture for users: there is a code change labeled as a fix, but the public repository is also marked unsupported. CERT’s mitigation advice includes disabling user code submission where possible, segmenting networks, monitoring container activity, and keeping dependencies updated. (github.com; thehackernews.com) The disclosure also surfaced as Cohere’s careers page continued advertising work on “secure AI solutions” and listed offices in Toronto, New York, London, San Francisco, Montreal, Paris, and Seoul. The company’s public site says it is building enterprise AI products and managed inference infrastructure for business customers. (cohere.com; cohere.com) For teams using code-execution features, the immediate question is simple: whether the “locked room” is still locked. CVE-2026-5752 turned that from a design assumption into an incident response check. (nist.gov; thehackernews.com)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Published by The Daily Scout - Be the smartest in the room.