Cyber Resilience

CVE-2026-22686

CriticalPublic PoCRCE

Published: 14 January 2026

Published
14 January 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0059 43.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22686 is a critical-severity Code Injection (CWE-94) vulnerability in Agentfront Enclave. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-50 (Software-enforced Separation and Policy Enforcement) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-22686 is a critical sandbox escape vulnerability (CVSS 10.0) in the enclave-vm component of Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Affecting versions prior to 2.7.0 and running on Node.js, the flaw (CWE-94, CWE-693) occurs when a tool invocation fails, causing enclave-vm to expose a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, enabling traversal to the host Function constructor and allowing untrusted JavaScript to compile and execute arbitrary code in the host Node.js runtime.

The vulnerability can be exploited by any untrusted, sandboxed JavaScript code executed within Enclave, such as code from AI agents. An attacker intentionally triggers a host error during a failed tool invocation, then climbs the exposed Error object's prototype chain to access the host Function constructor. This achieves full sandbox bypass, granting access to sensitive host resources including process.env, the filesystem, and network capabilities, thereby breaking Enclave's isolation guarantees. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates remote exploitation with no privileges or user interaction required.

The vulnerability is fixed in Enclave version 2.7.0. The GitHub security advisory (GHSA-7qm7-455j-5p63) and fixing commit (ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1) detail the patch, which security practitioners should apply immediately to deployments using Enclave for isolating untrusted AI agent code.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime.…

more

When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

The vulnerability is a sandbox escape that exploits exposure of a host Error object to achieve arbitrary code execution on the host Node.js runtime, directly facilitating exploitation for privilege escalation (T1068) and defense evasion by bypassing sandbox isolation (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27597Same product: Agentfront Enclave
CVE-2026-25533Same product: Agentfront Enclave
CVE-2025-5120Shared CWE-94
CVE-2026-21669Shared CWE-693, CWE-94
CVE-2026-24118Shared CWE-693, CWE-94
CVE-2026-39885Same vendor: Agentfront
CVE-2026-24781Shared CWE-693, CWE-94
CVE-2026-26030Shared CWE-94
CVE-2026-24120Shared CWE-693, CWE-94
CVE-2026-33622Shared CWE-693, CWE-94

Affected Assets

agentfront
enclave
≤ 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the sandbox escape by requiring identification, reporting, and timely patching of the specific flaw in enclave-vm prior to version 2.7.0.

prevent

Prevents exploitation by ensuring error handling during failed tool invocations does not expose host-side Error objects or exploitable prototype chains to sandboxed code.

prevent

Enforces software-based separation and policy between untrusted sandboxed JavaScript and the host Node.js runtime, blocking prototype chain traversal to the host Function constructor.

References