Am I affected by CVE-2026-5752?

All currently-available versions of Cohere Terrarium (github.com/cohere-ai/cohere-terrarium). The JavaScript prototype-chain traversal in Pyodide WebAssembly is exploitable by any code the sandbox accepts for execution - including code an LLM generates from a user prompt, which is the entire point of the product. CERT/CC confirmed there is no vendor patch as of the advisory.

How do I fix CVE-2026-5752?

Disable any feature that lets users (or an upstream LLM) submit arbitrary code to Terrarium. Wrap Terrarium deployments in a second isolation layer - gVisor or Firecracker microVMs for stronger kernel isolation, strict network egress policies, read-only root filesystems, and dropped Linux capabilities including CAP_SYS_ADMIN. Segment Terrarium containers so they cannot reach internal APIs, databases, or metadata services. Monitor for unexpected root-level process creation inside Terrarium containers and alert on any Node.js Function constructor invocation originating from sandbox code. For new AI-code-execution use cases, evaluate alternatives like the Deno-based approach with explicit permission flags or E2B's hardened cloud sandboxes.

Cohere's Terrarium AI sandbox breaks out to root on the host with no vendor patch in sight (CVE-2026-5752)

vulnerability

CVE-2026-5752

2026-04-22

Cohere's Terrarium AI sandbox breaks out to root on the host with no vendor patch in sight (CVE-2026-5752)

CERT Coordination Center disclosed CVE-2026-5752, a CVSS 9.3 sandbox escape in Cohere's open source Terrarium, a Python sandbox that runs on Pyodide (a WebAssembly Python distribution for Node.js) and is used to execute untrusted or LLM-generated code inside a Docker container. The flaw lets code running inside the Pyodide sandbox traverse the JavaScript prototype chain to reach the host Node.js Function constructor, compile arbitrary JavaScript in the host realm, and execute it as root inside the container. From that point attackers can read /etc/passwd and environment variables, reach other services on the container network, and attempt a further container escape. Critically, CERT/CC notes it was unable to coordinate a patch with Cohere, so no fix has shipped. Terrarium has 312 GitHub stars and 56 forks - a moderate audience, but anyone running it is a poster-child target for prompt-injection attacks that instruct the LLM to emit sandbox-breaking code. The underlying prototype-chain traversal pattern is the same technique seen in January's CVE-2026-22686 against the enclave-vm sandbox.

Check: If you run Terrarium anywhere in your stack (including behind an AI product that evaluates user-supplied Python) take it offline until you can wrap it in a second isolation layer or replace it with a hardened alternative.
Affected: All currently-available versions of Cohere Terrarium (github.com/cohere-ai/cohere-terrarium). The JavaScript prototype-chain traversal in Pyodide WebAssembly is exploitable by any code the sandbox accepts for execution - including code an LLM generates from a user prompt, which is the entire point of the product. CERT/CC confirmed there is no vendor patch as of the advisory.
Fix: Disable any feature that lets users (or an upstream LLM) submit arbitrary code to Terrarium. Wrap Terrarium deployments in a second isolation layer - gVisor or Firecracker microVMs for stronger kernel isolation, strict network egress policies, read-only root filesystems, and dropped Linux capabilities including CAP_SYS_ADMIN. Segment Terrarium containers so they cannot reach internal APIs, databases, or metadata services. Monitor for unexpected root-level process creation inside Terrarium containers and alert on any Node.js Function constructor invocation originating from sandbox code. For new AI-code-execution use cases, evaluate alternatives like the Deno-based approach with explicit permission flags or E2B's hardened cloud sandboxes.