New Langroid server-takeover flaw CVE-2026-54769 (CVSS 10.0): AI-written code gives unauth RCE — update to 0.65.2
Langroid's SQLChatAgent runs AI-generated SQL unchecked (CVE-2026-25879, CVSS 9.8): prompt injection can reach DB-host RCE. Update to v0.63.0; least privilege.
Table of contents
Langroid's SQLChatAgent runs AI-generated SQL unchecked (CVE-2026-25879, CVSS 9.8): prompt injection can reach DB-host RCE. Update to v0.63.0; least privilege.
"Langroid," an application framework for letting AI operate data and tables, has a new flaw where code written by the AI runs as-is and the whole server can be hijacked (CVE-2026-54769). The CVSS severity is 10.0 out of 10 — the maximum. It can be triggered without any login, just by slipping a crafted instruction into what you ask the AI. A fixed version, 0.65.2, is already out.
The components at issue are TableChatAgent, which handles tabular data, and VectorStore, which searches documents. These ran AI-written code while "intending to sandbox it," but the sandbox had a gap, so a crafted prompt can run arbitrary commands on the server. And this is not a one-off: the same Langroid earlier had CVE-2026-25879 (severity 9.8), where AI-written SQL was abused — the same "run the AI's output as-is" design gap keeps surfacing. This article centers on the new 10.0 flaw and walks through the defenses common to both.
CVE-2026-54769 in full (top score 10.0)
First, the key facts. The defining traits: the attack entry point is "what you ask the AI (the prompt)," and if it succeeds, the impact reaches beyond data theft to arbitrary command execution on the server, with no authentication. Where the earlier SQLChatAgent flaw (CVE-2026-25879, 9.8) abused "SQL written by the AI," this one plays out on "Python code written by the AI."
| Item | Detail |
|---|---|
| CVE ID | CVE-2026-54769 |
| Affected components | TableChatAgent・ VectorStore |
| Affected versions | Before v0.65.2 |
| Flaw type | Code injection / sandbox escape (CWE-94) |
| Entry point | What you ask the AI (prompt injection) |
| Severity | CVSS 10.0 (Critical, max) |
| Login | Not needed (anyone) |
| Fixed in | v0.65.2+ |
CVSS 10.0 is the literal top severity: unauthenticated, network-reachable, low complexity, with impact spreading beyond the attacked component (scope changed). No special privileges are needed. The target is any setup using TableChatAgent or VectorStore whose input is reachable by untrusted parties.
Who targets this hole, and what happens?
What makes this dangerous is that the entry point disguises itself not as advanced hacking but as "an innocent question to the AI" or "a document fed to the AI." The likely exploiters are ransomware gangs that seize servers for a payout, and attackers who automatically scan the whole net for AI tools' admin screens. AI apps built on Langroid are often wired to internal data and the keys of external services, so once the server is seized, the damage does not end at the app itself.
The attack flow is simple. The attacker slips something that will be interpreted as code into a question about a table or into text the AI ingests, and gets the AI to run it as "processing to produce an answer." In that instant the attacker's command runs on the server, leading straight to data exfiltration, planting other programs, and lateral movement into internal systems. No authentication is needed, and no click by the user is required.
The cleanup falls on the developer or service operator that embedded the AI feature. A customer-data leak triggers duties to report to the authorities and notify individuals, plus explanations to partners, damages, and lost trust. The more you delegate to AI, the more the data and privileges the AI can touch become the blast radius of an incident. Whether you can update Langroid now and narrow the privileges given to the AI is what decides it.
Technically, why the "sandbox" did not hold
CVE-2026-54769: the gap in the "isolation" that runs AI-written code
TableChatAgent answers a question like "What were the top sales last month?" by having the AI write spreadsheet-library (pandas) Python code, running it, and returning the answer. To prevent dangerous side effects, Langroid tried to isolate this code when running it through Python's eval() by setting the list of usable variables (locals) to empty. But it forgot to remove the "built-in functions (__builtins__)" from the other list, globals — and that was fatal.
At runtime, Python implicitly supplies those built-ins. As a result, an attacker only has to get the AI to write a line like __import__('os').system(...) to slip past the isolation and run any OS command on the server. Because TableChatAgent executes the AI's output natively, merely sending a crafted prompt achieves unauthenticated RCE (remote code execution). The U.S. National Institute of Standards and Technology (NIST) classifies this as code injection (CWE-94). The same gap existed in the document-search VectorStore. It was reported by Langroid's own maintainer, and version 0.65.2 fixes it by explicitly stripping the built-ins.
Langroid keeps stumbling on "trust the output and run it"
Designs that have AI write code or commands and then run them without inspection have caused a string of incidents. We have covered Langflow's CVE-2026-7524, where an AI agent is hijacked just by opening a web page, and vLLM's CVE-2026-4944, where a malicious AI model hijacks the server. Langroid itself, ahead of this month's TableChatAgent/VectorStore flaw (CVE-2026-54769), had the SQLChatAgent flaw CVE-2026-25879 abusing AI-written SQL, plus other findings in its tabular-data handling — the same "run the AI's output as-is" design keeps becoming a hole.
The common thread is the danger of wiring AI output into an execution path on the assumption that "the AI's output is trustworthy." AI is easily swayed by the words it is given, and connecting that output directly to OS commands, a database, or file operations turns prompt injection straight into real code execution. The basics of defense: always inspect and restrict the AI's output with human-written code, and narrow the privileges given to the AI to the minimum.
✓ Confirmed facts
- ✓CVE-2026-54769 forgot to strip built-ins from
eval()in TableChatAgent/VectorStore, leading to unauthenticated RCE (GitLab Advisory, CVSS 10.0) - ✓Fixed in v0.65.2, which explicitly strips the built-ins
- ✓The same Langroid earlier had the SQLChatAgent flaw CVE-2026-25879 (9.8)
? Unconfirmed at this time
- ?Any real-world exploitation — no exploitation reports or public exploit code confirmed as of writing, and it is not on CISA's KEV catalog
- ?Adoption scale in Japan — no public data on Langroid usage was confirmed
What Langroid actually is
Langroid is an open-source framework for building AI (LLM) applications. Developed by researchers at Carnegie Mellon and elsewhere, it is used to combine multiple AI agents to automatically handle research, document processing, and database or table queries. It is distributed as a Python package, so anyone can integrate it.
This month's TableChatAgent takes a table such as a CSV or dataframe, has the AI translate a natural-language question into pandas code, runs it, and returns the answer. VectorStore is the search backbone that finds relevant passages across large document sets. Both sell the convenience that "users don't write code — the AI handles it," but behind that they run AI-written code, so mishandling the output turns them into a takeover entry point.
The earlier hole: SQLChatAgent's CVE-2026-25879 (hijack via AI-written SQL)
Ahead of this month's 10.0, Langroid also had CVE-2026-25879 (severity 9.8). The stage was SQLChatAgent, which turns a question like "top 10 sales last month?" into SQL (a database command) via the AI and runs it. Per the official advisory, SQLChatAgent executed LLM-generated SQL without sufficient restriction, so steering the AI's input via prompt injection could turn a read-only query into data tampering or dangerous commands. The classifications are SQL injection (CWE-89) and code injection (CWE-94).
Especially serious is when the database user holds strong privileges. Abusing features that let the database run external programs or files — PostgreSQL's COPY ... FROM PROGRAM, MySQL's FILE privilege, SQL Server's xp_cmdshell — enabled arbitrary code execution (RCE) on the DB server. Affected are versions before v0.63.0; the fixed v0.63.0 makes SQLChatAgent default to a "SELECT (read-only) allowlist," rejecting dangerous statements at parse time. If the previous unrestricted behavior is needed, you must explicitly set allow_dangerous_operations=True. The current latest fix, 0.65.2, closes both this 25879 and the new 54769.
Quick chart: are you affected?
The risk depends on whether you use Langroid, whether the components that have the AI write code or SQL (TableChatAgent, VectorStore, SQLChatAgent) are exposed to external input, and how you set the target's privileges. In every case, the version to move to is 0.65.2 or later, which closes both holes.
| Usage | Risk | Priority | Action now |
|---|---|---|---|
| TableChatAgent / VectorStore exposed to external input | Server takeover (unauth RCE) | Top (immediate) | Update to 0.65.2 + isolate runtime |
| SQLChatAgent exposed + strong DB privileges | DB takeover RCE risk | Top (immediate) | Update to 0.65.2 + make DB role read-only |
| Above components used internally only | Internal abuse risk | High (early) | Update to 0.65.2 + review privileges |
| Use Langroid but not those components | Little direct impact | Normal | Update to 0.65.2 on the regular cycle |
The most dangerous setup is exposing these components to general users or internet input. If that is you, treat it as top priority.
What dev and ops teams should do now
The top priority is updating Langroid to 0.65.2 or later. That closes both this month's CVE-2026-54769 and the earlier CVE-2026-25879. If you have the AI write code via TableChatAgent or VectorStore, even after updating it is safer to isolate code execution in something like a container and restrict its outbound network and file access.
Equally important is to narrow the privileges of the database or system the AI connects to. If read-only suffices, do not grant write access; strip privileges for external-program execution and file operations such as COPY ... FROM PROGRAM or xp_cmdshell. Strict least privilege is the levee that keeps damage narrow even if the AI is made to write dangerous code. Revisiting the design that wires AI output straight into execution — inserting human-written inspection in front of it — also helps.
AI-framework vulnerabilities have been coming one after another lately. If you embed OSS AI components into your operations, set up a way to track dependency updates. To follow major vulnerabilities affecting widely used products in Japan, also see our 2026 first-half roundup of major vulnerabilities.
FAQ
Q. What is CVE-2026-54769?
A. When Langroid's TableChatAgent/VectorStore run AI-written Python via eval(), they emptied the variable list (locals) to isolate it but forgot to strip the built-in functions from the other list, globals. An attacker only needs to get the AI to write a line like __import__('os').system(...) to slip past the isolation and run any command on the server without authentication. Severity is the maximum 10.0, fixed in v0.65.2.
Q. Am I always at risk if I use Langroid?
A. The direct target is a setup using the components that have the AI write code or SQL (TableChatAgent, VectorStore, SQLChatAgent) with input reachable by untrusted parties. If you do not use them, or use them only in a fully closed environment, the risk is lower. Updating to v0.65.2 is still recommended.
Q. Does it always lead to RCE?
A. The new CVE-2026-54769 runs code directly on the server after slipping past isolation, so under the right conditions it leads straight to RCE. The earlier CVE-2026-25879 leads to RCE when the database user has strong privileges for external-program execution or file operations. In both cases, narrowing the AI's privileges and isolating the runtime are the keys to limiting damage.
Q. What is prompt injection?
A. An attack that slips instructions contrary to the intended purpose into the AI's prompt to hijack its behavior. Lines like "ignore previous instructions and…" are planted in input boxes or external documents the AI ingests. In systems that run the AI's output directly, this turns straight into real harm.
Summary
Langroid's CVE-2026-54769 is a flaw where the isolation meant to "safely run" AI-written Python had a gap, letting a crafted prompt hijack the whole server. The CVSS is the maximum 10.0, fixed in v0.65.2. And it is a repeat of the same class as the earlier SQLChatAgent flaw CVE-2026-25879 (9.8), showing Langroid keeps stumbling on a "run the AI's output as-is" design.
The response is clear. Update to 0.65.2 or later, keep the components that have the AI write code or SQL away from untrusted input, narrow the privileges given to the AI, and isolate the runtime. The more you delegate to AI, the more the breadth of its privileges becomes the blast radius of an incident. Designing on the premise that "the AI's output is not trusted," inserting human inspection in front of the execution path, is the basic way to prevent this class of incident. We will report again if new signs of exploitation emerge.
References
- â–¸NVD - CVE-2026-54769 (Langroid TableChatAgent/VectorStore sandbox escape)
- â–¸GitLab Advisories - CVE-2026-54769 (Incomplete eval() Mitigation)
- â–¸GitHub - langroid/langroid security advisories
- â–¸NVD - CVE-2026-25879 (Langroid SQLChatAgent)
- â–¸GitLab Advisories - CVE-2026-25879 (Prompt to SQL Injection, Leading to RCE)
- â–¸GitHub - langroid/langroid

Makoto Horikawa
Backend Engineer / AWS / Django