The vulnerability CVE-2026-22686 affects the agentfront enclave-vm, a secure JavaScript sandbox designed to safely execute AI agent code within Node.js environments. Prior to version 2.7.0, enclave-vm improperly exposes a host-side Error object to sandboxed code when a tool invocation fails. This Error object retains its host realm prototype chain, which can be traversed by malicious sandboxed code to reach the host Function constructor. By intentionally triggering a host error, an attacker can climb this prototype chain and use the Function constructor to compile and execute arbitrary JavaScript code in the host Node.js runtime context. This effectively breaks the sandbox's core security guarantee of isolating untrusted code, allowing full access to sensitive host resources such as process environment variables, filesystem, and network interfaces. The vulnerability is categorized under CWE-693 (Protection Mechanism Failure) and CWE-94 (Improper Control of Generation of Code). The CVSS v3.1 base score is 10.0 (critical), reflecting the vulnerability's ease of exploitation (no privileges or user interaction required), network attack vector, and complete impact on confidentiality, integrity, and availability. The issue was publicly disclosed on January 13, 2026, and fixed in enclave version 2.7.0. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a severe risk, especially for those leveraging the agentfront enclave-vm sandbox to run untrusted or third-party AI agent code within Node.js environments. Successful exploitation allows attackers to escape the sandbox and execute arbitrary code on the host system, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, including environment variables that may contain credentials, filesystem data leakage or manipulation, and network access enabling lateral movement or data exfiltration. Organizations in sectors such as finance, healthcare, and critical infrastructure that rely on AI agent automation or sandboxed code execution are at heightened risk. The critical severity and ease of exploitation mean attackers can remotely compromise systems without authentication or user interaction, increasing the likelihood of rapid and widespread impact if exploited. Additionally, the breach of sandbox isolation undermines trust in AI code execution environments, potentially disrupting AI-driven workflows and services.

European organizations should immediately verify if they use agentfront enclave-vm versions prior to 2.7.0 in their environments. The primary mitigation is to upgrade enclave to version 2.7.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should consider isolating systems running vulnerable versions from untrusted code inputs and restrict network access to these hosts to limit exposure. Implement strict code review and validation processes for any sandboxed JavaScript code to detect attempts to trigger host errors maliciously. Employ runtime monitoring and anomaly detection to identify unusual prototype chain traversals or unexpected host Function constructor usage. Additionally, enforce the principle of least privilege on Node.js runtime environments to minimize potential damage from sandbox escapes. Finally, maintain up-to-date incident response plans to quickly address any exploitation attempts.