A severe security vulnerability has surfaced in Terrarium, a Python-based sandbox environment developed by Cohere AI, exposing systems to arbitrary code execution attacks with elevated privileges. The flaw, identified as CVE-2026-5752 and assigned a critical CVSS score of 9.3, represents a significant threat to deployments relying on the sandbox for code isolation.
The vulnerability enables attackers to escape the sandbox container through JavaScript prototype chain traversal techniques, granting them root-level access to the underlying host process. This means an attacker could execute malicious code with the highest system privileges, potentially compromising entire infrastructure that depends on Terrarium for secure code execution.
Sandbox environments are typically deployed to isolate untrusted or user-generated code, preventing it from accessing sensitive system resources. The discovery of this container escape vulnerability undermines the fundamental security purpose of such isolation mechanisms. Organizations using Terrarium for executing potentially dangerous code face immediate risk exposure.
The prototype chain traversal vector used in this attack exploits JavaScript's object inheritance model, allowing attackers to manipulate the fundamental properties and methods available within the sandboxed environment. This technique has been weaponized in previous sandbox escapes but represents a novel threat vector within Terrarium's specific implementation.
Security researchers and Cohere AI have not yet released detailed exploit code or proof-of-concept demonstrations, though the high CVSS rating indicates the vulnerability requires minimal complexity to exploit and could be triggered by unauthenticated attackers. Organizations currently running affected versions of Terrarium should prioritize security updates and consider implementing additional defensive measures.
The disclosure highlights ongoing challenges in sandbox architecture design, where achieving both functionality and robust isolation remains a persistent engineering problem. Users should monitor official channels for patched versions and security advisories from Cohere AI.