Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution with root privileges. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. Terrarium is developed by Cohere AI as an open-source project and is used as a Docker-deployed container for running untrusted code written by users or generated with assistance from a large language model.
The root cause relates to a JavaScript prototype chain traversal vulnerability. According to the CERT Coordination Center, the sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. The flaw exists in the reranking endpoint and allows an attacker to achieve arbitrary code execution by means of a specially crafted GPT-Generated Unified Format model file.
The vulnerability has been described as a case of command injection leading to the execution of arbitrary code. An attacker exploits this by creating a malicious model file with a crafted tokenizer template. The project has been forked over 5,500 times and starred 26,100 times on GitHub, indicating widespread use across the AI and machine learning community.
This vulnerability highlights a critical gap in AI sandbox security. As organisations increasingly rely on AI-generated code and automated systems to process untrusted inputs, the attack surface expands beyond traditional application vulnerabilities. The ability to escape a sandbox designed specifically for untrusted code execution demonstrates that even security-focused tools can contain fundamental flaws. The high CVSS score of 9.3 reflects the severity of unrestricted code execution, and the widespread adoption of Terrarium means the potential impact extends across thousands of deployments.
Click here for the original article.

