CVE-2026-22686

CVE-2026-22686 is a critical sandbox escape vulnerability (CVSS 10.0) in the enclave-vm component of Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Affecting versions prior to 2.7.0 and running on Node.js, the flaw (CWE-94, CWE-693) occurs when a tool invocation fails, causing enclave-vm to expose a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, enabling traversal to the host Function constructor and allowing untrusted JavaScript to compile and execute arbitrary code in the host Node.js runtime.

The vulnerability can be exploited by any untrusted, sandboxed JavaScript code executed within Enclave, such as code from AI agents. An attacker intentionally triggers a host error during a failed tool invocation, then climbs the exposed Error object's prototype chain to access the host Function constructor. This achieves full sandbox bypass, granting access to sensitive host resources including process.env, the filesystem, and network capabilities, thereby breaking Enclave's isolation guarantees. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates remote exploitation with no privileges or user interaction required.

The vulnerability is fixed in Enclave version 2.7.0. The GitHub security advisory (GHSA-7qm7-455j-5p63) and fixing commit (ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1) detail the patch, which security practitioners should apply immediately to deployments using Enclave for isolating untrusted AI agent code.