Critical Unpatched Sandbox Escape in Cohere AI Terrarium Allows Root Code Execution

Cohere AI's open-source Python sandbox, Terrarium, is reported to contain a critical security flaw that allows attackers to break out of its isolated environment and run commands with root privileges on the host system

The vulnerability, tracked as CVE-2026-5752 (CVSS score 9.3) is a sandbox escape vulnerability in Terrarium that allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. The flaw occurs because the mock document object in the Pyodide WebAssembly environment inherits from the standard Object.prototype, letting attackers reach the function constructor. By gaining access to globalThis, an attacker can use Node.js internals like require() to run system-level commands.

Because the project is no longer maintained, no official patch is expected, leaving current deployments at high risk.

This vulnerability affects all versions of Cohere AI Terrarium. The software uses Pyodide to run Python code in Docker-deployed containers, often to process code generated by large language models. Since the project is archived and no longer actively maintained by Cohere AI, users must assume all current installations are permanently vulnerable. The attack requires local access to the system but does not require any user interaction or special privileges to execute.

Organizations should immediately stop using Terrarium or disable features that allow users to submit code for execution. If the tool must remain in use, administrators should run it within a secondary isolation layer like a dedicated virtual machine and implement strict network segmentation. 

Monitoring for unusual root-level process activity and using a Web Application Firewall to block suspicious traffic can help detect exploitation attempts.