CVE-2026-27597
Published: 25 February 2026
Summary
CVE-2026-27597 is a critical-severity Code Injection (CWE-94) vulnerability in Agentfront Enclave. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).
Deeper analysis
CVE-2026-27597 affects Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, the vulnerability allows attackers to escape the security boundaries enforced by the `@enclave-vm/core` component, enabling remote code execution (RCE). This flaw is classified under CWE-94 (Improper Control of Generation of Code) and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
The vulnerability can be exploited by any unauthenticated attacker over the network with no user interaction required. Successful exploitation grants scope-changing privileges, allowing full compromise of confidentiality, integrity, and availability on the host system through arbitrary RCE, potentially leading to complete system takeover.
The security advisory (GHSA-f229-3862-4942) and associated commit (09afbebe4cb6d0586c1145aa71ffabd2103932db) confirm the issue was fixed in Enclave version 2.11.1. Security practitioners should upgrade to this version or later to mitigate the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8617
Vulnerability details
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue…
more
has been fixed in version 2.11.1.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing JavaScript sandbox component (AV:N/AC:L/PR:N), directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the sandbox escape vulnerability by requiring timely remediation through patching to Enclave version 2.11.1 or later.
Enforces software-based separation and policy enforcement mechanisms essential for JavaScript sandboxes like Enclave to prevent boundary escapes leading to RCE.
Implements a reference monitor to mediate all subject-object accesses within the sandbox, countering improper control of code generation and escape vulnerabilities.