Terrarium Sandbox Escape CVE-2026-5752: News Update on Cohere AI Vulnerability and 72-Hour Response Plan

7 min read · Published: April 23, 2026

On April 14, 2026, CVE-2026-5752 was disclosed, a sandbox escape in the open-source project Terrarium. CERT/CC analyzed the vulnerability on April 22 with a detailed analysis, CVSS 9.3, root code execution in the sandbox container. The provider behind Terrarium is Cohere AI, not Cloudflare. Those who confused the manufacturer in the last few days should correct their own mitigation notes. Edge-Workers teams, MSPs with code execution paths in LLM applications, and all operators using Terrarium for container-based sandbox logic need an immediate response within 72 hours now.

Key Takeaways

CVE-2026-5752 affects the open-source project Terrarium by Cohere AI, not Cloudflare.
CVSS 9.3, root code execution in the sandbox container, potential container escape, CERT/CC Advisory VU#414811.
The bug arises from a weakness in the JavaScript prototype chain isolation of the sandbox layer.
CERT/CC was unable to coordinate patch deployment with the vendor for publication; mitigation currently lies with operators.
Edge Workers teams, MSPs, and LLM platforms with code execution paths need a 72-hour inventory sweep with IMDS lockdown and egress hardening.

Correction and Actual Incident

What is Terrarium? Terrarium is an open-source sandbox from Cohere AI, delivered as a Docker container. It executes untrusted code, often Python or JavaScript snippets from users or from Large Language Models. Cohere AI is the provider, not Cloudflare. The confusion appears in some secondary reports because the Cloudflare Workers stack has its own sandbox architecture. Those who operate both stacks in parallel should keep the terms clear.

The bug itself was made public on April 14, 2026, with further detailed analysis by CERT/CC under entry VU#414811 on April 22. The vulnerability lies in the JavaScript prototype chain. Code loaded into the sandbox can access the global object through the prototype property of the Function constructor. The mock Document object in Terrarium is created as a standard JavaScript object literal and thus inherits properties from Object.prototype. This inheritance mechanism allows sandbox code to climb up to globalThis and achieve root in the container.

The practical consequences are serious. A successful exploit provides root in the container, reads or writes to /etc/passwd and SSH keys, reads environment variables with short-lived API keys, and reaches neighboring services in the container network. Depending on the configuration, container escape paths to the host are likely. Particularly tricky is the combination with short-lived credentials in environment variables, which an attacker can extract in seconds before detection pipelines react.

CVSS 9.3

Sandbox escape with root code execution in container

April 14

CVE-2026-5752 public, CERT/CC details on April 22

VU#414811

CERT/CC advisory with technical analysis

Who is affected in-house and what immediate action means

Three classes of applications deserve the fastest response. The first are LLM applications with built-in code interpreters. Anyone operating a chat application with Python execution almost certainly has a sandbox layer in their stack. If this layer is Terrarium, the patch or mitigation should be in production within 24 hours. An inventory via SBOM scan or container image audit can clarify this within a few hours.

The second class are enterprise edge stacks where Terrarium runs as a component in larger platforms. Here, the spread is more difficult to detect because Terrarium is often embedded deeper in container images. SBOM tools like Trivy, Grype, or Snyk usually provide reliable hits, provided the SBOMs are up to date. Those without SBOM discipline lose valuable response time in such waves.

The third class are multi-tenant applications that offer code execution for end customers. Here, the vulnerability is particularly critical because an attacker with root access in the sandbox container could potentially gain access to other tenant data. Multi-tenant operators should conduct a forensic analysis of the last 30 days in parallel with the mitigation and actively inform customers as soon as the mitigation takes effect.

What Security Operations should do immediately

Search for Terrarium components in own container images via SBOM
Enforce IMDS lockdown at cloud platform level
Tighten egress allowlist for sandbox containers
Check permissions, use short-lived tokens instead of environment variables

What is not sufficient

Pure WAF rules in front of the application without container hardening
Relying on “we’re not production” without SBOM evidence
Container restart without image rebuild and re-deploy
Patch without re-deployment in all active cluster nodes

A 72-Hour Response Plan for Edge and Platform Teams

Three days are sufficient for the initial response to the incident. The mechanics are closely related to the ASP.NET Core response from the same weekend, which facilitates a shared choreography between Engineering and Security.

Hours 0-12

Inventory. SBOM scan, container image audit, consultation with platform teams. Which services use Terrarium or code execution paths in LLM applications?

Hours 12-24

Triage. Which applications are internet-exposed, which are multi-tenant, and which use short-lived tokens? Prioritization by risk class.

Hours 24-36

Hardening. Enforce IMDSv2, configure egress allowlists at container level, migrate secrets from environment variables to Vault-based tokens.

Hours 36-48

Detection. SIEM rules for suspicious sandbox container spawns, EDR hunts for /etc/passwd access, anomaly alerts for unusual outbound connections.

Hours 48-60

Forensic review. Check logs from the last 30 days for suspicious sandbox activity. If findings are discovered, initiate incident response chain and inform multi-tenant customers.

Hours 60-72

Reporting. Status update to CISO, Compliance, and potentially Data Protection and regulatory authorities. Update architecture documentation for the sandbox layer, schedule 90-day review.

What the AI-Sandbox World Gap of 2026 Reveals

Three structural lessons deserve attention. First: AI-Sandbox bugs are no longer a niche discipline in 2026. With the boom in LLM applications with code interpreter functionality, the sandbox has become a critical component in enterprise stacks. Anyone deploying a chat application with Python execution has a sandbox responsibility that often wasn’t included in the original specifications.

Second: SBOM discipline determines response time. Those who maintain a complete software bill of materials respond within hours. Those without an SBOM search for days. With critical vulnerabilities like CVE-2026-5752, this difference is operationally relevant. Investments in SBOM tools pay for themselves many times over during the first serious incident.

Third: Open-source responsibility deserves strategic attention. Cohere AI is a commercial provider, while Terrarium is an open-source project with wide adoption. CERT/CC did not achieve coordinated patch distribution. This is not unusual, but it forces operators to take responsibility themselves. Organizations that incorporate open-source components into production stacks should regularly check the lifecycle status of each component. The in-depth analysis on strategic sandbox architecture provides the longer discussion on this topic.

How the incident fits into the Q2 patch picture

CVE-2026-5752 is part of a series. Microsoft ASP.NET Core CVE-2026-40372 occurred on the same weekend, while the April 20 CISA-KEV update brought eight more vulnerabilities. Q2 2026 shows a frequency of critical incidents that security operations teams in 2024 were not accustomed to.

Structurally, this requires a different response architecture. Teams that could plan for two critical CVEs per month in 2024 now face four to six per week in 2026. Platform engineering visibility, automated patch pipelines, and SBOM-based inventories must become standard equipment. Those who delay this are creating growing friction that will become visible in the coming quarters.

For executives, the incident provides a concrete audit opportunity. Asking about the current patch status at the next board meeting sharpens the focus for CISOs and CIOs. A second question about SBOM maturity and multi-tenant incident communication provides a good governance check. Those who can provide concrete answers to both questions within 30 seconds have functioning security governance. Those who offer vagueness have an identifiable investment need for 2026.

Frequently Asked Questions

Is it true that Terrarium is owned by Cloudflare?

No. Terrarium is an open-source project by Cohere AI. The confusion with Cloudflare Workers has appeared in some secondary reports. Those who listed Cloudflare as the provider in their own mitigation notes should correct this.

What patch options are available?

Currently, CERT/CC has not reached a coordinated patch deployment with the vendor. Mitigation options are available to operators: IMDS lockdown, egress hardening, container hardening, permission reduction. Those actively monitoring Cohere updates should apply the patch release immediately.

What detection rules are recommended?

SIEM alerts for sandbox container process spawns, EDR hunts for /etc/passwd access, anomalies in outbound connections from sandbox containers. For multi-tenant setups, add cross-tenant boundary monitoring.

How does this bug compare to traditional container escape vulnerabilities?

Related, but different. Traditional container escapes target the container runtime itself. CVE-2026-5752 targets the JavaScript sandbox layer within the container, but escalates to root and potentially to container escape. Defense-in-depth is the proper response.

What does this vulnerability mean for multi-tenant providers?

Particularly critical. An attacker with root access in the sandbox container can potentially reach other tenant data if isolation is insufficient. Multi-tenant providers should immediately prepare customer communications and conduct forensic analysis of the past 30 days.

How should reporting to regulatory authorities be handled?

NIS2 operators of essential and particularly important entities must assess the severity and report if necessary. DORA operators in the financial sector classify it as an ICT-related incident and follow the internal reporting path. Those working in regulated industries should document the assessment, even if no reporting obligation applies.