CVE-2026-27597

CriticalPublic PoCRCE

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0077 73.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27597 is a critical-severity Code Injection (CWE-94) vulnerability in Agentfront Enclave. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the sandbox escape vulnerability by requiring timely remediation through patching to Enclave version 2.11.1 or later.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Enforces software-based separation and policy enforcement mechanisms essential for JavaScript sandboxes like Enclave to prevent boundary escapes leading to RCE.

AC-25 Reference Monitor good match

prevent

Implements a reference monitor to mediate all subject-object accesses within the sandbox, countering improper control of code generation and escape vulnerabilities.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution via exploitation of a public-facing JavaScript sandbox component (AV:N/AC:L/PR:N), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue…

has been fixed in version 2.11.1.

Deeper analysisAI

CVE-2026-27597 affects Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, the vulnerability allows attackers to escape the security boundaries enforced by the `@enclave-vm/core` component, enabling remote code execution (RCE). This flaw is classified under CWE-94 (Improper Control of Generation of Code) and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

The vulnerability can be exploited by any unauthenticated attacker over the network with no user interaction required. Successful exploitation grants scope-changing privileges, allowing full compromise of confidentiality, integrity, and availability on the host system through arbitrary RCE, potentially leading to complete system takeover.

The security advisory (GHSA-f229-3862-4942) and associated commit (09afbebe4cb6d0586c1145aa71ffabd2103932db) confirm the issue was fixed in Enclave version 2.11.1. Security practitioners should upgrade to this version or later to mitigate the vulnerability.