CVE-2026-25533
Published: 06 February 2026
Summary
CVE-2026-25533 is a medium-severity Infinite Loop (CWE-835) vulnerability in Agentfront Enclave. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).
Deeper analysis
CVE-2026-25533 is a vulnerability in Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. It affects the enclave-vm component in versions prior to 2.10.1, where multiple security layers prove insufficient. Specifically, AST sanitization can be bypassed using dynamic property accesses, error object hardening fails to address peculiar behaviors in the vm module, and function constructor access prevention can be circumvented via host object references. The issue carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-835.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation changes the scope, enabling high confidentiality, integrity, and availability impacts, such as full sandbox escape and potential arbitrary code execution on the host system.
The vulnerability is addressed in Enclave version 2.10.1. Mitigation details, including the fixing commit and security advisory, are documented on the project's GitHub repository at https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca and https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p. A related research publication is available at https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf.
This flaw is notable in the context of AI/ML applications, as Enclave targets safe execution of AI agent code in JavaScript environments. No public information on real-world exploitation is available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5565
Vulnerability details
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error…
more
objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a sandbox escape in a JavaScript VM via multiple bypasses (AST, error hardening, constructor access), directly enabling host escape (T1611) and privilege escalation to arbitrary code execution (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-25533 by requiring timely identification, reporting, and patching of flaws in Enclave's AST sanitization, error object hardening, and function constructor access prevention.
Implements a reference monitor in the JavaScript sandbox to mediate all subject-object accesses, preventing bypasses via dynamic property accesses, vm module peculiarities, and host object references.
Enforces software-based separation policies isolating untrusted AI agent code execution from host resources, countering sandbox escape exploits in enclave-vm.