CVE-2026-22686 in enclave
Summary
by MITRE • 01/14/2026
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability described in CVE-2026-22686 represents a critical sandbox escape flaw within the enclave-vm component of the Enclave secure JavaScript sandbox system. This security issue specifically affects versions prior to 2.7.0 and fundamentally undermines the core security model designed to isolate untrusted JavaScript code execution. The vulnerability stems from improper handling of error objects when tool invocations fail, creating a prototype chain traversal opportunity that bypasses the intended security boundaries.
The technical mechanism behind this exploit involves the exposure of host-side Error objects to sandboxed JavaScript code when tool invocations fail. These Error objects maintain their original prototype chain structure that originates from the host Node.js runtime environment. The prototype chain contains references to the host Function constructor through the standard JavaScript object model, where Error objects inherit from Error.prototype which ultimately connects to the global Function constructor. An attacker can leverage this inheritance relationship by triggering a host error condition and then traversing the prototype chain to access the Function constructor in the host context.
This vulnerability directly maps to CWE-749, which describes "Expose of Function or Data Method in Wrong Class" and CWE-94, covering "Improper Control of Generation of Code" in the context of JavaScript sandbox escape. The attack vector enables arbitrary code execution in the host Node.js runtime environment, completely nullifying the sandbox isolation that Enclave is designed to provide. The exploitation process allows attackers to gain access to sensitive system resources including process environment variables, filesystem operations, and network communication capabilities that should remain restricted to the sandboxed execution environment.
The operational impact of this vulnerability is severe and far-reaching, as it provides attackers with complete control over the host system running the Enclave sandbox. The ability to execute arbitrary JavaScript code in the host context means that malicious actors can access and manipulate any data or resources available to the Node.js process, including sensitive configuration information, user data, and system resources. This represents a complete breakdown of the security isolation that the sandbox is intended to enforce, potentially leading to data breaches, system compromise, and unauthorized access to critical infrastructure components.
Mitigation strategies for this vulnerability require immediate upgrade to version 2.7.0 or later where the issue has been addressed. Organizations should implement comprehensive monitoring for any suspicious activity that might indicate exploitation attempts, particularly around error handling and prototype chain traversal patterns in their sandboxed environments. Security teams should also conduct thorough assessments of their current Enclave deployments to ensure all systems have been updated and verify that no unauthorized access has occurred. The fix implemented in version 2.7.0 likely involves proper isolation of error object prototypes or complete removal of host context references from sandboxed error handling mechanisms, ensuring that sandboxed code cannot access host Function constructors or other privileged objects through prototype chain traversal.