CVE-2026-5752, rated 9.3 on the CVSS scoring system, describes a sandbox escape in Terrarium that can lead to arbitrary code execution with root privileges.
CVE-2026-5752 and the prototype-chain traversal identified by CERT/CC
According to the CERT Coordination Center (CERT/CC), the flaw stems from "a JavaScript prototype chain traversal in the Pyodide WebAssembly environment" that enables sandboxed code to execute with elevated privileges on the host Node.js process. In short, the sandbox fails to enforce the intended boundary between guest code and host objects, permitting traversal of parent or global object prototypes that should be out of reach.
The traversal technique described by CERT/CC allows code running in the Pyodide environment to reference and manipulate objects in the host environment, according to vendor and researcher statements included in the advisory.
Technical impact: root execution inside containers, network reach, and sensitive-file access
Exploitation of CVE-2026-5752 can allow an attacker to break out of the confines of the Terrarium sandbox and execute arbitrary system commands as root within the container. The advisory notes several concrete consequences that successful exploitation can produce: unauthorized access to sensitive files such as "/etc/passwd," the ability to reach other services on the container's network, and even the possibility of escaping the container and escalating privileges further.
Notably, the attack requires local access to the system but does not require any user interaction or special privileges to exploit. That combination — local access plus no need for additional privileges or social engineering — narrows the attack path but raises the stakes for hosts that run untrusted code locally.
Terrarium, Pyodide, and maintenance status
Terrarium is an open-source Python sandbox developed by Cohere AI and deployed as a Docker container to run untrusted code written by users or generated with assistance from a large language model (LLM). The project runs on Pyodide, a Python distribution for the browser and Node.js that enables support for standard Python packages inside a WebAssembly environment.
The project has attracted modest attention in open-source repositories — it has been forked 56 times and starred 312 times — but the published advisory states the project is no longer actively maintained. Security researcher Jeremy Brown is credited with discovering and reporting the flaw, and CERT/CC warns that because the project is not actively maintained the vulnerability is unlikely to be patched by its upstream authors.
CERT/CC mitigation recommendations
CERT/CC has provided a set of mitigations for users who cannot immediately remove or replace Terrarium. The guidance is operational and specific:
- Disable features that allow users to submit code to the sandbox, if possible.
- Segment the network to limit the attack surface and prevent lateral movement.
- Deploy a Web Application Firewall to detect and block suspicious traffic, including attempts to exploit the vulnerability.
- Monitor container activity for signs of suspicious behavior.
- Limit access to the container and its resources to authorized personnel only.
- Use a secure container orchestration tool to manage and secure containers.
- Ensure that dependencies are up-to-date and patched.
SentinelOne summarized the underlying weakness succinctly: "The sandbox fails to adequately prevent access to parent or global object prototypes, allowing sandboxed code to reference and manipulate objects in the host environment." Organizations running Terrarium should treat that description as a technical red flag for any environment where untrusted code is accepted.
What this means for technologists, enterprises, and open‑source maintainers
- Technologists and security teams: Immediately consider disabling user-submitted code features and hardening container boundaries. Monitor containers and network segmentation closely, and deploy WAFs to detect exploitation attempts as advised by CERT/CC.
- Enterprises and procurement leaders: Evaluate where Terrarium is in your supply chain. Because the project is reported as not actively maintained and the vulnerability may remain unpatched, organizations should limit or remove its use, require compensating controls, or select alternative solutions.
- Open-source maintainers and downstream integrators: With the upstream project unmaintained, either merge a vetted patch in your own fork or cease using the project. The credited discovery by Jeremy Brown places responsibility on downstream maintainers to decide whether to assume maintenance or to decommission affected deployments.
The vulnerability in Terrarium underscores a broader operational reality: a high-severity flaw in an unmaintained component can be as dangerous as an actively exploited zero-day if it is present in production hosts that accept untrusted code. For organizations that rely on Terrarium — particularly those that expose it to local users or integrate it into automated workflows — the immediate choices are clear and limited: apply CERT/CC's mitigations, remove or replace the component, or assume a higher risk posture until a secure alternative is in place.




