Langroid scores a perfect 10 RCE, plus two Juniper DoS bugs that crash your firewall
Langroid's broken eval() sandbox gives attackers full code execution (CVE-2026-54769, CVSS 10.0). A guardrails-detectors SSRF can steal cloud credentials (CVSS 9.3). Two Juniper SRX/MX flaws let a single packet crash flowd if SIP ALG or TCP proxy is active.
Five today, two of them ugly. Langroid's TableChatAgent has a CVSS 10.0 sandbox escape that gives an attacker full remote code execution on the host, no auth needed. Right behind it, a CVSS 9.3 blind SSRF in guardrails-detectors can leak cloud credentials from metadata endpoints. The remaining three are Juniper denial-of-service bugs that can take your SRX or MX offline with a single packet.
Today's CVEs
Sorted by urgencyCVE-2026-57026
NVDAn unauthenticated attacker can crash the flow processing daemon (flowd) on Juniper MX Series (with SPC3) and SRX Series firewalls by sending a single malformed SIP invite packet. The device goes down completely until it auto-recovers. This only applies if you have the SIP ALG enabled, which is on by default in many deployments.
- Affected estate
- Anyone running Juniper SRX firewalls or MX routers with SPC3 line cards that have SIP ALG enabled
- How to check
- Run 'show version' to confirm the Junos release, then 'show security alg status' to check if SIP ALG is enabled.
- Included because
- unauthenticated; network-based; common perimeter device; DoS with full service outage
- Action
- Upgrade Junos OS to the fixed release for your train, or disable SIP ALG if patching must wait.
- Why it matters
- A single crafted packet from the network can take down your firewall or router with no authentication required.
- Source
- Juniper Networks advisory
Evidence trail
- NVD: View source
CVE-2026-57023
NVDAn unauthenticated attacker can crash the flow processing daemon on Juniper MX (with SPC3) and SRX devices by sending a TCP packet with a malformed header through any session where TCP proxy is active. TCP proxy kicks in for ALGs, Advanced Anti-Malware, ICAP, and UTM, so if you use any of those features, you're exposed. The box goes fully offline until it recovers on its own.
- Affected estate
- Anyone running Juniper SRX or MX with SPC3 on Junos OS 23.4R1 or later who uses TCP proxy features (ALGs, anti-malware, ICAP, or UTM)
- How to check
- Run 'show version' and confirm your release is 23.4R1 or later. Check if TCP proxy is engaged by reviewing your security policy for ALG, UTM, ICAP, or anti-malware configurations.
- Included because
- unauthenticated; network-based; common perimeter device; DoS with full service outage
- Action
- Upgrade to the fixed Junos OS release for your train.
- Why it matters
- A single malformed TCP packet can cause a full outage on your perimeter firewall or router.
- Source
- Juniper Networks advisory
Evidence trail
- NVD: View source
CVE-2026-57028
NVDA process on Junos OS Evolved that should only be reachable internally is accidentally exposed on a network-facing port due to a bad initialization. An unauthenticated attacker can reach it over the network and mess with your device's license management, potentially exhausting licenses and degrading functionality.
- Affected estate
- Anyone running Juniper Junos OS Evolved before 23.2R2-EVO
- How to check
- Run 'show version' and confirm the Junos OS Evolved release is below 23.2R2-EVO.
- Included because
- unauthenticated; network-accessible; incorrect network exposure of internal service
- Action
- Upgrade to Junos OS Evolved 23.2R2-EVO or later.
- Why it matters
- An exposed internal service lets unauthenticated attackers tamper with licensing, which can silently degrade device capabilities.
- Source
- Juniper Networks advisory
Evidence trail
- NVD: View source
CVE-2026-15378
NVDA blind SSRF bug in the guardrails-detectors component lets a remote attacker submit a crafted XSD string and use the server as a proxy to reach internal services. That means they can pull credentials from cloud metadata endpoints (like the AWS IMDSv1 169.254.169.254 path), hit the Kubernetes API, read MinIO secrets, or grab service account tokens off the local filesystem. CVSS 9.3, and no authentication is required.
- Affected estate
- Teams running guardrails-detectors in any environment, especially Kubernetes or cloud deployments with accessible metadata services
- How to check
- Check the installed version of the guardrails-detectors package or container image. Verify whether the XSD parsing endpoint is reachable from untrusted networks.
- Included because
- unauthenticated; network-based; CVSS 9.3; credential theft via SSRF; cloud and Kubernetes exposure
- Action
- Update guardrails-detectors to the latest patched release and enforce network policies to block outbound SSRF targets.
- Why it matters
- An attacker can steal cloud credentials, Kubernetes tokens, and internal secrets without authenticating.
- Source
- Red Hat / NVD advisory
Evidence trail
- NVD: View source
CVE-2026-54769
NVDLangroid's TableChatAgent and VectorStore features try to sandbox LLM-generated code by passing empty locals to Python's eval(), but they never scrub __builtins__. That means an attacker who can influence the LLM prompt can escape the sandbox and run arbitrary commands on the host. This is full unauthenticated remote code execution, CVSS 10.0. If your Langroid app processes any external input, you're exposed.
- Affected estate
- Anyone running Langroid applications before version 0.65.2 that use TableChatAgent or VectorStore with full_eval enabled
- How to check
- Run 'pip show langroid' and check the version. Search your codebase for 'full_eval=True', 'TableChatAgent', or 'VectorStore' usage.
- Included because
- unauthenticated; remote code execution; CVSS 10.0; sandbox escape; LLM-powered apps process external input
- Action
- Upgrade Langroid to 0.65.2 or later via pip.
- Why it matters
- Anyone who can feed input to your LLM agent can run arbitrary system commands on the host with no authentication.
- Source
- GitHub advisory / NVD
Evidence trail
- NVD: View source
One email, every Wednesday morning.
SubscribeFrom the field notes
From this beat
Read the rest of the field notes โ