Cyber Resilience

CVE-2026-27597

CriticalPublic PoCRCE

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0088 54.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27597 is a critical-severity Code Injection (CWE-94) vulnerability in Agentfront Enclave. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

CVE-2026-27597 affects Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, the vulnerability allows attackers to escape the security boundaries enforced by the `@enclave-vm/core` component, enabling remote code execution (RCE). This flaw is classified under CWE-94 (Improper Control of Generation of Code) and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

The vulnerability can be exploited by any unauthenticated attacker over the network with no user interaction required. Successful exploitation grants scope-changing privileges, allowing full compromise of confidentiality, integrity, and availability on the host system through arbitrary RCE, potentially leading to complete system takeover.

The security advisory (GHSA-f229-3862-4942) and associated commit (09afbebe4cb6d0586c1145aa71ffabd2103932db) confirm the issue was fixed in Enclave version 2.11.1. Security practitioners should upgrade to this version or later to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue…

more

has been fixed in version 2.11.1.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote code execution via exploitation of a public-facing JavaScript sandbox component (AV:N/AC:L/PR:N), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22686Same product: Agentfront Enclave
CVE-2026-25533Same product: Agentfront Enclave
CVE-2026-30741Shared CWE-94
CVE-2026-44717Shared CWE-94
CVE-2025-51482Shared CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2026-2287Shared CWE-94

Affected Assets

agentfront
enclave
≤ 2.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the sandbox escape vulnerability by requiring timely remediation through patching to Enclave version 2.11.1 or later.

prevent

Enforces software-based separation and policy enforcement mechanisms essential for JavaScript sandboxes like Enclave to prevent boundary escapes leading to RCE.

prevent

Implements a reference monitor to mediate all subject-object accesses within the sandbox, countering improper control of code generation and escape vulnerabilities.

References