CVE-2026-22686
Unknown Unknown - Not Provided
Sandbox Escape in enclave-vm Allows Arbitrary Host Code Execution

Publication date: 2026-01-14

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-14
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agentfront enclave to 2.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22686 is a critical sandbox escape vulnerability in the enclave-vm JavaScript sandbox. When a tool invocation fails, the sandbox exposes a host-side Error object to the sandboxed code. This Error object retains its host prototype chain, allowing an attacker to traverse it to reach the host's Function constructor. By triggering a host error and climbing this prototype chain, an attacker can compile and execute arbitrary JavaScript code in the host Node.js runtime, bypassing the sandbox's isolation and gaining access to sensitive host resources like environment variables, filesystem, and network. This breaks the core security guarantee of enclave-vm. The vulnerability is fixed in version 2.7.0. [2]

Impact Analysis

This vulnerability allows an attacker to escape the sandbox and execute arbitrary code in the host Node.js runtime. This means the attacker can access sensitive resources such as environment variables (process.env), the filesystem, and network capabilities. This can lead to full compromise of the host system running enclave-vm, including data theft, unauthorized system access, and potential further exploitation or disruption of services. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading enclave-vm to version 2.7.0 or later, which contains the fix for this vulnerability. Additionally, mitigation strategies involve re-creating all Error objects crossing the sandbox boundary inside the sandbox realm to avoid exposing host prototypes, stripping or freezing prototype chains of host objects to prevent prototype chain traversal, preventing access to host Function constructors from sandboxed code, and hardening tool error handling to avoid leaking host-native objects. [2]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows arbitrary code execution in the host environment and access to sensitive resources like environment variables, filesystem, and network, it could potentially lead to unauthorized data access or data breaches, which may affect compliance with data protection regulations. Specific compliance implications are not detailed in the provided text. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22686. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart