SCA: security update for enclave-vm (GHSA-7qm7-455j-5p63)

critical Tenable Self-Hosted Container Security Plugin ID 436761

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is
a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to
execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a
host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which
can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host
error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be
compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive
resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee
of isolating untrusted code. This vulnerability is fixed in 2.7.0. (CVE-2026-22686)

See Also

https://github.com/advisories/GHSA-7qm7-455j-5p63

Plugin Details

Severity: Critical

ID: 436761

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-22686

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/14/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-22686

cwe: CWE-94