CVE-2026-27597

CriticalPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0077 73.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue…

has been fixed in version 2.11.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the sandbox escape vulnerability by requiring timely remediation through patching to Enclave version 2.11.1 or later.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Enforces software-based separation and policy enforcement mechanisms essential for JavaScript sandboxes like Enclave to prevent boundary escapes leading to RCE.

AC-25 Reference Monitor good match

prevent

Implements a reference monitor to mediate all subject-object accesses within the sandbox, countering improper control of code generation and escape vulnerabilities.

Security SummaryAI

CVE-2026-27597 affects Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, the vulnerability allows attackers to escape the security boundaries enforced by the `@enclave-vm/core` component, enabling remote code execution (RCE). This flaw is classified under CWE-94 (Improper Control of Generation of Code) and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

The vulnerability can be exploited by any unauthenticated attacker over the network with no user interaction required. Successful exploitation grants scope-changing privileges, allowing full compromise of confidentiality, integrity, and availability on the host system through arbitrary RCE, potentially leading to complete system takeover.

The security advisory (GHSA-f229-3862-4942) and associated commit (09afbebe4cb6d0586c1145aa71ffabd2103932db) confirm the issue was fixed in Enclave version 2.11.1. Security practitioners should upgrade to this version or later to mitigate the vulnerability.

Details

CWE(s): CWE-94

Affected Products

agentfront

enclave

≤ 2.11.1

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: ai

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution via exploitation of a public-facing JavaScript sandbox component (AV:N/AC:L/PR:N), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db
Patch · security-advisories@github.com
https://github.com/agentfront/enclave/security/advisories/GHSA-f229-3862-4942
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com