CVE-2026-22686

CRITICAL

enclave-vm < 2.7.0 - Sandbox Escape via Host Error Prototype Chain Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-22686. PoCs published by XiaomingX, moltengama, amusedx.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2026-22686, demonstrating a sandbox escape and RCE in Node.js ESM environments by leveraging `process.getBuiltinModule` to bypass module loading restrictions. The README provides detailed technical analysis of the vulnerability and alternative exploitation vectors.

Description

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-22686

The repository contains a functional PoC for CVE-2026-22686, demonstrating a sandbox escape and RCE in Node.js ESM environments by leveraging `process.getBuiltinModule` to bypass module loading restrictions. The README provides detailed technical analysis of the vulnerability and alternative exploitation vectors.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Node.js (ESM environments, >= 22.3.0)
No auth needed
Prerequisites: Access to a vulnerable Node.js sandbox environment · Ability to execute arbitrary JavaScript code
devstral-2 · analyzed Mar 06, 2026 Full analysis →
nomisec WORKING POC 1 stars
by moltengama · poc
https://github.com/moltengama/CVE-2026-22686-RemoteCodeExecution-RCE-PoC

The repository contains a functional exploit PoC for CVE-2026-22686, leveraging Node.js's `process.getBuiltinModule` API to achieve remote code execution in ESM environments. The payload bypasses sandbox restrictions by enumerating host context keys and executing arbitrary commands via `child_process`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Node.js (ESM environments, >= 22.3.0)
No auth needed
Prerequisites: Access to a vulnerable Node.js sandbox environment · Node.js version >= 22.3.0
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec WORKING POC 1 stars
by amusedx · poc
https://github.com/amusedx/CVE-2026-22686

This PoC demonstrates a sandbox escape via prototype chain traversal and host error manipulation to achieve remote code execution. It exploits a vulnerability in a JavaScript sandbox environment by leveraging host-side errors and prototype manipulation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Enclave VM Sandbox (version unspecified)
No auth needed
Prerequisites: Access to the sandboxed JavaScript environment · Ability to trigger host-side errors
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.0021
EPSS Percentile 43.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-693 CWE-94
Status published
Products (2)
agentfront/enclave < 2.7.0
npm/enclave-vm 0 - 2.7.0npm
Published Jan 14, 2026
Tracked Since Feb 18, 2026