Platform
python
Component
mesa
Fixed in
3.5.1
Mesa is an open-source Python library used for agent-based modeling, enabling simulations of complex systems. CVE-2026-29075 exposes a remote code execution (RCE) vulnerability within Mesa versions 3.5.0 and earlier. This flaw arises from the insecure handling of untrusted code during the benchmarks.yml workflow, potentially allowing attackers to execute arbitrary code with elevated privileges. A patch addressing this issue has been released.
The vulnerability lies in Mesa's benchmarks.yml workflow, which automatically checks out code. An attacker could craft malicious code within this workflow, which, when executed by the privileged runner, would grant them control over the system. This could lead to data breaches, system compromise, and potentially, complete control of the environment where Mesa is deployed. The impact is particularly severe because agent-based modeling is often used in sensitive domains like financial modeling or scientific research, where data integrity and confidentiality are paramount. Successful exploitation could allow an attacker to inject malicious code into the simulation process, leading to inaccurate results or the theft of sensitive data.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not currently listed on the CISA KEV catalog. Given the RCE nature and the potential for privilege escalation, this vulnerability warrants careful attention and prompt remediation.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of Mesa. The fix is available in commit c35b8cd. If upgrading is not immediately feasible, consider temporarily disabling the benchmarks.yml workflow or restricting access to the runner environment. Review the benchmarks.yml file for any suspicious code or configurations. Implement strict code review processes for any custom benchmarks or extensions added to Mesa. After upgrading, confirm the fix by running the benchmarks.yml workflow with a known safe codebase and verifying that no unauthorized code execution occurs.
Update the Mesa library to a version later than commit c35b8cd. This will resolve the code execution vulnerability when checking out untrusted code in the `benchmarks.yml` workflow.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29075 is a remote code execution vulnerability affecting Mesa versions up to 3.5.0. It allows attackers to execute arbitrary code within a privileged runner due to insecure handling of untrusted code in the benchmarks.yml workflow.
You are affected if you are using Mesa version 3.5.0 or earlier. Check your Mesa version using pip show mesa and upgrade if necessary.
Upgrade to a patched version of Mesa containing commit c35b8cd. If immediate upgrade is not possible, disable the benchmarks.yml workflow or restrict runner access.
There are currently no confirmed reports of active exploitation, but the vulnerability's RCE nature warrants prompt remediation.
Refer to the Mesa project's official website and GitHub repository for updates and advisories related to CVE-2026-29075.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.