CVE-2026-22686

CriticalPublic PoCRCE

Published: 14 January 2026

Published

14 January 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0027 50.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22686 is a critical-severity Code Injection (CWE-94) vulnerability in Agentfront Enclave. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SC-50 (Software-enforced Separation and Policy Enforcement) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the sandbox escape by requiring identification, reporting, and timely patching of the specific flaw in enclave-vm prior to version 2.7.0.

SI-11 Error Handling good match

prevent

Prevents exploitation by ensuring error handling during failed tool invocations does not expose host-side Error objects or exploitable prototype chains to sandboxed code.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Enforces software-based separation and policy between untrusted sandboxed JavaScript and the host Node.js runtime, blocking prototype chain traversal to the host Function constructor.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

The vulnerability is a sandbox escape that exploits exposure of a host Error object to achieve arbitrary code execution on the host Node.js runtime, directly facilitating exploitation for privilege escalation (T1068) and defense evasion by bypassing sandbox isolation (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime.…

When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.

Deeper analysisAI

CVE-2026-22686 is a critical sandbox escape vulnerability (CVSS 10.0) in the enclave-vm component of Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Affecting versions prior to 2.7.0 and running on Node.js, the flaw (CWE-94, CWE-693) occurs when a tool invocation fails, causing enclave-vm to expose a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, enabling traversal to the host Function constructor and allowing untrusted JavaScript to compile and execute arbitrary code in the host Node.js runtime.

The vulnerability can be exploited by any untrusted, sandboxed JavaScript code executed within Enclave, such as code from AI agents. An attacker intentionally triggers a host error during a failed tool invocation, then climbs the exposed Error object's prototype chain to access the host Function constructor. This achieves full sandbox bypass, granting access to sensitive host resources including process.env, the filesystem, and network capabilities, thereby breaking Enclave's isolation guarantees. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates remote exploitation with no privileges or user interaction required.

The vulnerability is fixed in Enclave version 2.7.0. The GitHub security advisory (GHSA-7qm7-455j-5p63) and fixing commit (ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1) detail the patch, which security practitioners should apply immediately to deployments using Enclave for isolating untrusted AI agent code.

Details

CWE(s): CWE-94 CWE-693

Affected Products

agentfront

enclave

≤ 2.7.0

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-27597Same product: Agentfront Enclave

CVE-2026-25533Same product: Agentfront Enclave

CVE-2026-39421Shared CWE-693, CWE-94

CVE-2026-24118Shared CWE-693, CWE-94

CVE-2026-21669Shared CWE-693, CWE-94

CVE-2026-24781Shared CWE-693, CWE-94

CVE-2026-24120Shared CWE-693, CWE-94

CVE-2026-33622Shared CWE-693, CWE-94

CVE-2026-41512Shared CWE-94

CVE-2026-2761Shared CWE-693

References

https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1
Patch · security-advisories@github.com
https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com