A critical security flaw in Cohere's Terrarium tool, an AI code execution sandbox, leaves enterprises vulnerable to root-level attacks with no vendor fix in sight. CVE-2026-5752, rated as high severity with a CVSS score of 7.5 out of 10, affects organizations that use Terrarium to run Python code generated by large language models (LLMs) or other untrusted sources. Because Cohere no longer maintains the tool, security teams face a permanent end-of-life component that cannot be patched, forcing them to either isolate the system or decommission it entirely.

What Makes This Vulnerability So Dangerous?

Terrarium was designed as a Docker-deployed sandbox using Pyodide, a WebAssembly Python runtime, to safely execute untrusted or LLM-generated code in isolation. The vulnerability exploits a weakness in how Pyodide bridges Python and JavaScript, allowing an attacker to manipulate the JavaScript prototype chain and escape the WebAssembly sandbox boundary. Once outside the sandbox, an attacker gains arbitrary command execution on the host Node.js process with root privileges, essentially giving them full control of the underlying server.

The attack requires only basic user credentials and specific configurations to exploit. An attacker could craft a malicious Python payload containing prototype manipulation patterns and submit it through an LLM output pipeline. If the system lacks secondary isolation layers, such as gVisor or Kata Containers, the exploit succeeds without additional user interaction.

Which Organizations Are at Risk?

Any enterprise using Cohere AI Terrarium in development, staging, or production environments faces exposure. The risk is especially acute for organizations that:

• Run Terrarium in production: Any environment accepting Python code input from LLM output pipelines or untrusted external sources is vulnerable to exploitation.
• Lack network segmentation: Terrarium Docker containers that share network access with internal systems or have internet exposure dramatically increase the attack surface.
• Automate code execution without review: AI and machine learning pipelines that execute code without human oversight are at highest risk, as a single malicious prompt could trigger exploitation automatically.

Organizations that have not audited their AI and machine learning tooling inventory for unmaintained or end-of-life components are particularly vulnerable. Because Terrarium is no longer maintained by Cohere, this exposure will not be resolved by a vendor update, meaning the business bears full responsibility for remediation or decommissioning.

How Should Organizations Respond to This Threat?

Security teams should treat this as an immediate priority. The recommended response involves three critical steps: identify all systems running Terrarium, isolate them from networks, and detect any signs of exploitation.

• Immediate isolation: Identify all environments running Cohere AI Terrarium using Docker commands to enumerate running containers, then disconnect them from host and internal bridge networks using Docker network commands. At the host firewall level, insert DROP rules on the ports Terrarium's Node.js listener binds to, typically port 3000 or 8080.
• Evidence preservation: Before isolating containers, capture full snapshots of active container state, filesystem mutations, and any anomalous child processes spawned from the Node.js Terrarium process. These forensic artifacts are critical if a breach investigation becomes necessary.
• Anomaly detection: Audit Docker container logs and Node.js process logs for unexpected child process spawning, file system access outside sandbox directories, or privilege escalation indicators. Check host process audit logs for unexpected root-level command execution from the Node.js process.

Security teams should escalate this to their Chief Information Security Officer (CISO) and legal or compliance teams immediately if audit logs reveal any root-level command execution from the Terrarium process, creation of new accounts on the host, or evidence of lateral movement to other systems. If the Terrarium pipeline processed personally identifiable information (PII), protected health information (PHI), or other regulated data, a confirmed compromise may trigger breach notification obligations.

Why Does This Matter for Enterprise LLM Deployments?

This vulnerability highlights a broader challenge in enterprise AI adoption. As organizations build sophisticated LLM applications that combine models with retrieval systems, tools, memory, and workflow automation, they must carefully manage the security risks inherent in code execution pipelines. Modern enterprise LLM applications extend far beyond simple chatbots, integrating with external data sources, APIs, and business workflows.

The Terrarium flaw underscores why effective enterprise LLM systems require strong governance, observability, and architectural controls. When LLMs generate code that gets executed automatically, even a single manipulated prompt could trigger a critical security incident. Organizations deploying agentic workflows, where AI agents autonomously plan, reason, and take actions without human input at each step, face particularly acute risks and must implement guardrails such as constrained action spaces, human-in-the-loop checkpoints, and audit trails.

The broader lesson is clear: as enterprises adopt LLMs for code generation, document processing, and automated workflows, they must audit their entire AI tooling inventory for unmaintained or end-of-life components. A single forgotten sandbox tool or deprecated library can compromise an entire infrastructure. Security teams should work closely with AI and machine learning teams to ensure that every component in the pipeline is actively maintained, regularly patched, and properly isolated from critical systems.