https://feed.craftedsignal.io/tags/sandbox-escape/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 21:21:50 +0000https://feed.craftedsignal.io/briefs/2026-04-n8n-python-sandbox-escape/Wed, 29 Apr 2026 21:21:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-n8n-python-sandbox-escape/A sandbox escape vulnerability exists in n8n's Python Task Runner that allows an authenticated user with workflow creation/modification permissions to achieve arbitrary code execution on the task runner container, impacting n8n instances with the Python Task Runner enabled; upgrade to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability.A sandbox escape vulnerability has been identified in the Python Task Runner of n8n, a workflow automation platform. This vulnerability, assigned CVE-2026-42234, allows an authenticated user who has permissions to create or modify workflows that contain a Python Code Node to escape the sandbox environment. Successful exploitation leads to arbitrary code execution within the task runner container. This issue specifically impacts n8n instances where the Python Task Runner is enabled. The vulnerability affects n8n versions prior to 1.123.32, versions between 2.17.0 and 2.17.4, and versions between 2.18.0 and 2.18.1. Defenders should prioritize patching their n8n instances or implementing available workarounds.

Attack Chain

1. An attacker gains authenticated access to an n8n instance.
2. The attacker verifies the Python Task Runner is enabled.
3. The attacker creates or modifies an n8n workflow.
4. The workflow includes a Python Code Node.
5. The attacker crafts malicious Python code designed to escape the sandbox. This code could leverage vulnerabilities in the sandbox implementation to execute commands outside of the intended restricted environment.
6. The attacker triggers the workflow execution.
7. The malicious Python code executes, successfully escaping the sandbox.
8. Arbitrary code is executed on the task runner container, potentially leading to compromise of the n8n instance or the underlying infrastructure.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the n8n task runner container. This can lead to a full compromise of the n8n instance, allowing the attacker to steal sensitive data, disrupt services, or pivot to other systems within the network. While the exact number of affected instances is unknown, any n8n deployment with the Python Task Runner enabled and vulnerable versions are at risk.

Recommendation

• Upgrade n8n to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability as recommended by the vendor.
• If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only, as mentioned in the advisory.
• As a temporary measure, disable the Python Code node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely as documented in the advisory.
• Monitor container execution for unexpected processes spawned from the n8n task runner container using the “Detect Suspicious Process Execution from n8n Task Runner” Sigma rule.

]]>highadvisorysandbox-escapecode-executionvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/Tue, 28 Apr 2026 00:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.OpenClaw versions before 2026.3.31 are vulnerable to a symlink following issue within the SSH sandbox tar upload functionality. This vulnerability, identified as CVE-2026-41364, allows a remote attacker with the ability to upload tar archives to the OpenClaw instance to potentially escape the intended sandbox environment. By crafting a malicious tar archive containing carefully constructed symbolic links, an attacker can overwrite arbitrary files on the remote host, leading to a compromise of the system’s integrity. This vulnerability was reported and patched in version 2026.3.31. Defenders need to ensure they are running patched versions to mitigate the risk of exploitation.

Attack Chain

1. Attacker authenticates to the OpenClaw instance via SSH, gaining access to the restricted sandbox environment.
2. Attacker crafts a malicious tar archive containing symbolic links pointing outside the intended sandbox directory. These symlinks are designed to target specific files or directories on the host system that the attacker wishes to overwrite.
3. Attacker uploads the malicious tar archive to the OpenClaw instance using the SSH sandbox tar upload functionality.
4. OpenClaw extracts the contents of the uploaded tar archive without properly validating or restricting the target paths of the symbolic links.
5. During extraction, the symbolic links are followed, causing files to be written outside the intended sandbox directory.
6. The attacker overwrites arbitrary files on the remote host with attacker-controlled content.
7. The attacker achieves arbitrary code execution or persistence by overwriting critical system files or configuration files.
8. The attacker escalates privileges by modifying binaries used by privileged users.

Impact

Successful exploitation of this vulnerability allows a remote attacker with low privileges to write arbitrary files on the OpenClaw server. This can lead to a variety of impacts, including arbitrary code execution, privilege escalation, and denial of service. An attacker could potentially gain complete control over the OpenClaw server by overwriting critical system files. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41364.
• Deploy the Sigma rule “Detect Suspicious Tar Archive Upload with Symlinks” to detect attempts to upload malicious tar archives containing symbolic links.
• Monitor SSH logs for suspicious activity related to tar archive uploads to the OpenClaw instance.

]]>highadvisorysymlinkfile-writesandbox-escapehttps://feed.craftedsignal.io/briefs/2026-04-chrome-sandbox-escape/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chrome-sandbox-escape/A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.CVE-2026-6311 describes a high-severity vulnerability affecting Google Chrome on Windows. Specifically, an uninitialized use in the Accessibility component exists in versions prior to 147.0.7727.101. This flaw allows a remote attacker, who has already compromised the renderer process, to potentially escape the browser’s sandbox environment. The attacker exploits this vulnerability by crafting a malicious HTML page. Successful exploitation allows the attacker to execute code outside of the Chrome sandbox, potentially leading to arbitrary code execution on the underlying system. This vulnerability was patched in Chrome version 147.0.7727.101, released in April 2026. The Chromium project assigned a security severity of High to this issue.

Attack Chain

1. The attacker crafts a malicious HTML page designed to trigger the uninitialized use vulnerability in the Accessibility component.
2. The victim visits the malicious HTML page through a phishing link or drive-by download.
3. The HTML page is rendered by Google Chrome, which triggers the vulnerability in the Accessibility component.
4. Due to the uninitialized memory, the attacker gains control of a pointer or other sensitive data.
5. The attacker leverages this control to read from or write to arbitrary memory locations within the renderer process.
6. The attacker manipulates the memory of the renderer process to bypass sandbox restrictions.
7. The attacker gains the ability to execute arbitrary code outside of the Chrome sandbox.
8. The attacker can now perform actions such as installing malware, stealing sensitive data, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2026-6311 allows an attacker to escape the Google Chrome sandbox on Windows systems. This can lead to arbitrary code execution on the victim’s machine, potentially leading to data theft, malware installation, or further compromise of the network. Given Chrome’s widespread use, this vulnerability poses a significant risk to a large number of users. While the exact number of victims is unknown, the potential impact is high due to the ability to bypass the browser’s security measures.

Recommendation

• Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6311 (reference: Overview).
• Monitor process creation events for unexpected processes spawned by Chrome renderer processes, as a sign of successful sandbox escape (reference: Attack Chain step 8 and the “Detect Chrome Sandbox Escape via Child Process” Sigma rule).
• Implement web filtering to block access to known malicious websites that may host exploit code targeting this vulnerability (reference: Attack Chain step 2).
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

]]>highadvisorycve-2026-6311chromesandbox-escapewindowshttps://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.CVE-2026-6314 is a security vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability resides within the GPU process and is classified as an out-of-bounds write. Successful exploitation could allow a remote attacker who has already compromised the GPU process to perform a sandbox escape, potentially gaining broader system access. The vulnerability can be triggered by a crafted HTML page. The Chromium security team has rated this vulnerability as High severity. This vulnerability was patched in the 147.0.7727.101 release.

Attack Chain

1. The attacker crafts a malicious HTML page designed to trigger the out-of-bounds write in the GPU process.
2. The victim visits the malicious HTML page using a vulnerable version of Google Chrome.
3. The HTML page leverages JavaScript to initiate a GPU-related operation that triggers the vulnerable code path.
4. The GPU process attempts to write data outside of the intended memory buffer due to a flaw in the code.
5. This out-of-bounds write corrupts memory within the GPU process.
6. The attacker leverages the memory corruption to overwrite critical data structures or code within the GPU process.
7. By manipulating the GPU process’s memory, the attacker attempts to escape the Chrome sandbox.
8. If successful, the attacker gains the ability to execute arbitrary code outside the sandbox, potentially compromising the user’s system.

Impact

Successful exploitation of CVE-2026-6314 allows an attacker to escape the Chrome sandbox. This allows the attacker to potentially execute arbitrary code on the victim’s machine. While the exact number of victims is unknown, all users of Google Chrome versions prior to 147.0.7727.101 are potentially vulnerable. A successful sandbox escape could lead to data theft, malware installation, or other malicious activities, depending on the privileges of the compromised user.

Recommendation

• Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6314.
• Deploy the Sigma rule Detect Chrome GPU Process Crash to identify potential exploitation attempts based on abnormal process termination.
• Monitor web server logs for requests to suspicious HTML pages (cs-uri-query, cs-uri-stem) that could be used to deliver the exploit.

]]>highadvisorychromegpuoob-writesandbox-escapehttps://feed.craftedsignal.io/briefs/2026-04-chrome-dawn-uaf/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chrome-dawn-uaf/A use-after-free vulnerability (CVE-2026-6310) in Google Chrome's Dawn component allows a remote attacker, having compromised the renderer process, to potentially execute a sandbox escape via a specially crafted HTML page.CVE-2026-6310 is a high-severity vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability lies within the Dawn component, a library used for interacting with the WebGPU API. An attacker who has already compromised the Chrome renderer process can exploit this use-after-free vulnerability to potentially escape the Chrome sandbox. Successful exploitation requires the attacker to craft a malicious HTML page that triggers the vulnerability in Dawn, enabling them to execute arbitrary code outside the confines of the renderer process and potentially gain control of the user’s system. This poses a significant risk to users browsing untrusted websites.

Attack Chain

1. The attacker crafts a malicious HTML page specifically designed to trigger the use-after-free vulnerability in the Dawn component of Google Chrome.
2. The victim visits the malicious HTML page via a compromised website, a phishing link, or other social engineering techniques.
3. The HTML page leverages the WebGPU API to interact with the Dawn component.
4. The malicious code manipulates memory in a way that leads to a use-after-free condition within Dawn.
5. The attacker exploits the use-after-free vulnerability to overwrite memory and gain control of program execution.
6. The attacker leverages the compromised renderer process to attempt a sandbox escape.
7. If successful, the attacker can execute arbitrary code outside the Chrome sandbox.
8. The attacker can then install malware, steal sensitive data, or perform other malicious actions on the victim’s system.

Impact

Successful exploitation of CVE-2026-6310 allows an attacker to escape the Chrome sandbox, a security mechanism designed to isolate web content from the rest of the system. This could lead to arbitrary code execution on the victim’s machine, potentially allowing the attacker to install malware, steal sensitive information, or perform other malicious activities. Given Chrome’s widespread use, a successful exploit could impact a large number of users across various sectors.

Recommendation

• Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6310.
• Implement a network detection rule to identify potentially malicious HTML pages that exploit WebGPU and trigger the use-after-free condition.
• Monitor process creation events for unusual processes spawned by chrome.exe after the renderer process is compromised, as this may indicate a sandbox escape.

]]>highadvisorycve-2026-6310use-after-freesandbox escapegoogle chromehttps://feed.craftedsignal.io/briefs/2026-04-luanti-sandbox-escape/Thu, 16 Apr 2026 01:16:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-luanti-sandbox-escape/Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod, potentially leading to arbitrary code execution.CVE-2026-40959 describes a critical vulnerability in Luanti 5, specifically in versions prior to 5.15.2, when used with LuaJIT. The vulnerability allows a malicious actor to escape the Lua sandbox environment by exploiting a crafted “mod.” This escape could lead to unauthorized access and control over the system, potentially allowing for arbitrary code execution outside of the intended sandbox. The vulnerability was reported to MITRE and assigned a CVSS v3.1 score of 9.3, indicating a critical severity. This vulnerability poses a significant threat to systems relying on Luanti for sandboxed Lua execution.

Attack Chain

1. Attacker crafts a malicious Lua “mod” specifically designed to exploit the sandbox escape vulnerability in Luanti.
2. The malicious mod leverages weaknesses in the LuaJIT implementation within Luanti to bypass sandbox restrictions.
3. The crafted mod is loaded into a vulnerable Luanti 5 instance.
4. Upon execution of the malicious mod, the attacker gains the ability to execute arbitrary Lua code outside the intended sandbox.
5. The attacker can then utilize this escaped context to interact with the underlying operating system.
6. Using OS-level access, the attacker escalates privileges further.
7. The attacker installs persistent backdoors or other malicious software.
8. Finally, the attacker achieves complete system compromise, exfiltrates sensitive data, or causes other damage.

Impact

Successful exploitation of CVE-2026-40959 could lead to a complete compromise of systems utilizing vulnerable versions of Luanti 5 with LuaJIT. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. Given the critical CVSS score of 9.3, the potential impact is high, especially in environments where Luanti is used to sandbox untrusted Lua code. The number of potential victims depends on the adoption rate of Luanti 5 and the prevalence of LuaJIT usage within those installations.

Recommendation

• Upgrade Luanti to version 5.15.2 or later to patch CVE-2026-40959.
• Monitor for the loading of unsigned or untrusted Lua mods within Luanti environments (see process_creation rule below).
• Inspect Lua mods for suspicious code patterns indicative of sandbox escape attempts (develop custom rules based on the specific LuaJIT weaknesses exploited).

]]>criticaladvisorysandbox-escapeluantiluajitcve-2026-40959https://feed.craftedsignal.io/briefs/2026-04-chrome-use-after-free/Wed, 15 Apr 2026 20:16:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chrome-use-after-free/CVE-2026-6297 is a critical use-after-free vulnerability in the Proxy component of Google Chrome before version 147.0.7727.101, enabling a privileged network attacker to potentially achieve sandbox escape via a crafted HTML page.CVE-2026-6297 is a critical security flaw affecting Google Chrome users. The vulnerability, a use-after-free issue within the Proxy component, exists in versions prior to 147.0.7727.101. Successfully exploiting this vulnerability would allow an attacker positioned in a privileged network location to potentially break out of Chrome’s sandbox. The attack vector involves a specially crafted HTML page delivered to the victim. This is a critical vulnerability because a successful exploit could lead to arbitrary code execution within the context of the user running Chrome, potentially leading to data theft, system compromise, or further lateral movement within a network.

Attack Chain

1. Attacker gains a privileged network position, such as through ARP poisoning or DNS spoofing.
2. The victim user browses to a website or is redirected to a website controlled by the attacker.
3. The attacker injects a malicious HTML page into the victim’s browser session.
4. The malicious HTML page leverages JavaScript to trigger the use-after-free vulnerability in Chrome’s Proxy component.
5. The use-after-free condition allows the attacker to corrupt memory within the Chrome process.
6. By carefully crafting the memory corruption, the attacker gains control of program execution.
7. The attacker executes arbitrary code within the Chrome sandbox.
8. The attacker leverages the initial code execution within the sandbox to attempt a sandbox escape and gain access to the underlying operating system.

Impact

Successful exploitation of CVE-2026-6297 allows an attacker in a privileged network position to perform a sandbox escape. This can lead to arbitrary code execution on the user’s machine, potentially compromising sensitive data, allowing for further exploitation of the system, and enabling lateral movement within the network. Due to the widespread use of Chrome, this vulnerability has the potential to affect a large number of users across various sectors.

Recommendation

• Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6297.
• Deploy the Sigma rule “Detect Chrome Sandbox Escape via Crafted HTML” to identify potential exploitation attempts within your environment.
• Monitor network traffic for signs of ARP poisoning or DNS spoofing, which are common prerequisites for exploiting vulnerabilities like CVE-2026-6297.

]]>criticaladvisorycveuse-after-freechromesandbox escapehttps://feed.craftedsignal.io/briefs/2026-04-nocobase-rce/Tue, 14 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-nocobase-rce/A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.A critical security flaw, identified as CVE-2026-6224, affects NocoBase plugin-workflow-javascript versions up to 2.0.23. This vulnerability resides in the createSafeConsole function within the packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js file. By manipulating this function, an attacker can escape the intended sandbox environment. Publicly available exploits exist, increasing the risk of active exploitation. This vulnerability allows for remote, unauthenticated exploitation, making it a significant threat to systems running the affected NocoBase plugin. The vendor has not responded to vulnerability disclosure attempts.

Attack Chain

1. The attacker sends a malicious request to the NocoBase server targeting the plugin-workflow-javascript component.
2. The request is processed by the vulnerable createSafeConsole function within Vm.js.
3. The attacker leverages the identified manipulation technique to bypass the intended sandbox restrictions.
4. The attacker gains unauthorized access to the underlying server environment.
5. The attacker injects and executes arbitrary JavaScript code within the server context.
6. The attacker escalates privileges to gain further control of the system.
7. The attacker establishes persistence through creating new user accounts or modifying system configurations.
8. The attacker achieves arbitrary code execution on the server, leading to potential data theft, system compromise, or denial of service.

Impact

Successful exploitation of CVE-2026-6224 can lead to complete compromise of the NocoBase server. An attacker can gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt normal operations. Given the nature of NocoBase as a data management platform, the impact could include widespread data breaches and significant reputational damage. Because exploits are publicly available, organizations using vulnerable versions of the plugin are at immediate risk.

Recommendation

• Upgrade NocoBase plugin-workflow-javascript to a patched version beyond 2.0.23 to remediate CVE-2026-6224.
• Deploy the provided Sigma rule Detect Suspicious NocoBase Workflow JavaScript Activity to identify potential exploitation attempts targeting the createSafeConsole function.
• Monitor web server logs for suspicious requests targeting the /packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js path.
• Implement strict input validation and sanitization measures to prevent malicious code injection.

]]>criticalthreatnocobasercesandbox-escapecve-2026-6224https://feed.craftedsignal.io/briefs/2026-04-wasmtime-sandbox-escape/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wasmtime-sandbox-escape/A sandbox escape vulnerability exists in Wasmtime versions 25.0.0 to 36.0.7, 37.0.0 to 42.0.2, and version 43.0.0 when using the Winch compiler backend on aarch64 architecture, potentially allowing a Wasm guest to access host memory outside its sandbox, leading to denial of service, data leaks, or remote code execution.Wasmtime, a WebAssembly runtime, is vulnerable to a sandbox escape issue when using the Winch compiler backend on aarch64 architecture. This vulnerability, affecting versions 25.0.0 through 36.0.7, 37.0.0 through 42.0.2, and 43.0.0, stems from improper handling of memory offsets within the Winch compiler. The Winch compiler is not the default, requiring the -Ccompiler=winch flag to activate it. A malicious or compromised Wasm guest could exploit this flaw to access host memory outside of its designated linear memory region. Successful exploitation could lead to denial of service, sensitive data leaks from the host process, or, with write access, potentially arbitrary remote code execution on the host system. Defenders should prioritize patching or switching to the Cranelift compiler backend to mitigate this critical vulnerability.

Attack Chain

1. An attacker crafts a malicious WebAssembly module specifically designed to exploit the memory offset vulnerability in the Winch compiler.
2. The attacker deploys the malicious Wasm module to a system running a vulnerable version of Wasmtime using the Winch compiler backend (-Ccompiler=winch).
3. The vulnerable Wasmtime instance loads and compiles the malicious Wasm module using the Winch compiler.
4. Due to the flawed memory offset calculation within Winch, the Wasm module is able to access memory addresses outside of its allocated linear memory region.
5. The Wasm module reads sensitive data from the host process’s memory space, such as configuration files, API keys, or other confidential information.
6. Alternatively, the Wasm module attempts to write arbitrary data to the host process’s memory space, potentially overwriting critical system data or injecting malicious code.
7. Successful memory corruption leads to a denial-of-service condition, a data leak, or potentially arbitrary code execution within the context of the host process.
8. The attacker leverages the compromised host process to further compromise the system or network.

Impact

Successful exploitation of this vulnerability allows a malicious Wasm guest to escape its sandbox and access the host system’s memory. This can result in a denial of service, where the host process crashes due to memory corruption. More critically, it can lead to the exfiltration of sensitive data from the host process, potentially exposing confidential information. In the worst-case scenario, the attacker could achieve arbitrary code execution on the host system, leading to a complete system compromise. The number of potential victims is dependent on the adoption rate of Wasmtime with the Winch compiler enabled in production environments, but given the severity of the potential impact, any vulnerable instance represents a significant risk.

Recommendation

• Upgrade to Wasmtime version 43.0.1, 42.0.2, or 36.0.7 to patch CVE-2026-34987.
• If upgrading is not immediately feasible, switch to the Cranelift compiler backend by removing the -Ccompiler=winch flag from the Wasmtime execution command.
• Monitor Wasmtime deployments for unexpected crashes or memory access violations that may indicate exploitation attempts. While no specific IOCs are provided, unusual process behavior from Wasmtime should be investigated.

]]>criticaladvisorywasmtimesandbox-escapememory-corruptionaarch64https://feed.craftedsignal.io/briefs/2026-04-sandboxjs-escape/Fri, 03 Apr 2026 21:44:39 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-sandboxjs-escape/A sandbox integrity escape vulnerability exists in SandboxJS versions prior to 0.8.36, allowing untrusted code to bypass global write protections and mutate host shared global objects, potentially leading to cross-context persistence and broader compromise.A critical vulnerability exists in SandboxJS versions prior to 0.8.36, a JavaScript sandbox library. This vulnerability allows malicious or untrusted JavaScript code executed within the sandbox to escape the sandbox and modify global objects in the host environment. The bypass is achieved through an exposed callable constructor path: this.constructor.call(target, attackerObject), allowing attackers to circumvent intended protections against direct assignment to global objects. This can lead to persistent modifications of host runtime state and cross-context contamination. Successful exploitation could allow attackers to compromise other requests, tenants, or subsequent sandbox runs within the same process, potentially leading to control-flow hijack in application logic that assumes trusted built-in behavior.

Attack Chain

1. The attacker injects JavaScript code into the SandboxJS environment.
2. The injected code gains access to the SandboxGlobal constructor via this.constructor.
3. The attacker leverages Function.prototype.call to invoke the SandboxGlobal constructor with a target global object (e.g., Math, JSON) and a payload object containing properties to overwrite.
4. The SandboxGlobal constructor copies properties from the attacker-controlled payload object into the specified global object in the host environment, bypassing the intended write-time checks.
5. The host environment’s global object is modified with attacker-supplied values.
6. Subsequent executions of SandboxJS instances within the same process now operate with the tainted global object.
7. If the host application relies on the integrity of the mutated global objects, attacker can hijack control flow.
8. The attacker achieves code execution in the host environment due to the modified global state.

Impact

This vulnerability allows untrusted code to escape the SandboxJS sandbox and directly manipulate the host environment’s global objects. This can lead to a variety of impacts, including persistent cross-context contamination, where new sandbox instances are initialized with a tainted state. The modification of critical global objects can lead to unpredictable behavior and, in certain scenarios, enable complete control-flow hijack of the host application. The severity of the impact is considered critical due to the potential for widespread and persistent compromise. Affected versions: npm/@nyariv/sandboxjs (vulnerable: < 0.8.36).

Recommendation

• Upgrade to SandboxJS version 0.8.36 or later to patch the vulnerability (Affected Packages).
• Implement monitoring for unexpected modifications to global objects within the host environment where SandboxJS is deployed (see rule “Detect SandboxJS Global Object Mutation via Constructor Call”).
• Consider implementing additional layers of defense, such as restricting the capabilities of the host environment where SandboxJS is running, to minimize the impact of a successful sandbox escape (see rule “Detect SandboxJS Constructor Call to Global Objects”).
• Review host application code that relies on global objects and consider implementing validation checks to ensure their integrity (see CVE-2026-34208).

]]>criticaladvisorysandbox-escapejavascriptvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/Fri, 03 Apr 2026 03:15:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.OpenClaw versions up to and including 2026.3.28 contain a critical vulnerability related to how they handle remote file system operations within a sandboxed environment. Specifically, the readFile function in the remote file system bridge is susceptible to a Time-of-Check Time-of-Use (TOCTOU) race condition. This means that the application verifies the path of a file before reading it, but an attacker can potentially modify the file path in between the check and the read operation. The vulnerability was reported by AntAISecurityLab and patched in version 2026.3.31. Successful exploitation allows attackers to escape the sandbox, potentially leading to arbitrary code execution on the host system.

Attack Chain

1. The attacker crafts a request to the OpenClaw application, specifying a file path within the allowed sandbox.
2. OpenClaw’s readFile function receives the request and validates that the requested path is within the allowed sandbox.
3. After the path is validated, but before the file is read, the attacker leverages a race condition to modify the file path. This could be achieved by symlink replacement or other file system manipulation techniques.
4. The readFile function now attempts to read the file from the modified path, which could point to a location outside the intended sandbox.
5. The file from the attacker-controlled path is read, bypassing the initial security check.
6. OpenClaw processes the content of the file, potentially executing malicious code or leaking sensitive information, depending on the file’s contents and the application’s handling of it.
7. The attacker successfully escapes the sandbox, gaining unauthorized access to the host system’s resources.

Impact

Successful exploitation of this TOCTOU vulnerability allows an attacker to bypass the intended security restrictions of the OpenClaw sandbox. This can lead to arbitrary code execution on the host system, potentially allowing the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected installations is unknown, all deployments of OpenClaw versions 2026.3.28 or earlier are vulnerable.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch the vulnerability as indicated in the advisory.
• Deploy the provided Sigma rule to detect attempts to exploit this TOCTOU vulnerability by monitoring file access patterns.
• Enable file integrity monitoring (FIM) on critical system files to detect unauthorized modifications that could indicate exploitation attempts.

]]>criticaladvisoryopenclawsandbox-escapetoctouhttps://feed.craftedsignal.io/briefs/2024-01-03-praisonai-sandbox-escape/Wed, 01 Apr 2026 23:26:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-praisonai-sandbox-escape/PraisonAI's SubprocessSandbox allows attackers to bypass command restrictions due to the use of `shell=True` in `subprocess.run()` combined with an insufficient blocklist that does not include `sh` or `bash`, enabling command execution via `sh -c '<command>'`.PraisonAI’s SubprocessSandbox, even in STRICT mode, is vulnerable to a sandbox escape. The vulnerability arises from the use of subprocess.run() with shell=True in sandbox_executor.py, coupled with an insufficient blocklist that fails to include sh and bash as standalone executables. This oversight allows attackers to bypass the intended command restrictions by executing arbitrary commands through sh -c '<command>'. Versions of PraisonAI up to 4.5.96 are affected. This means that any command blocked by the configured policy can be trivially executed, which could allow agent prompt injection attacks to lead to full system compromise.

Attack Chain

1. An attacker crafts a malicious command to be executed within the PraisonAI environment.
2. The PraisonAI application receives the crafted command and attempts to execute it within the SubprocessSandbox.
3. The SubprocessSandbox uses subprocess.run() with shell=True to execute the provided command.
4. The blocklist in sandbox_executor.py fails to block the sh or bash commands themselves.
5. The attacker injects shell commands via sh -c '<blocked_command>', bypassing the string-pattern matching intended to restrict execution.
6. The sh process executes the attacker’s command within the sandbox’s context, bypassing the intended security restrictions.
7. The attacker gains unauthorized access to resources such as network connections, the filesystem, or cloud metadata services.
8. The attacker escalates privileges and potentially compromises the entire system.

Impact

Successful exploitation of this vulnerability allows attackers to bypass the intended security restrictions imposed by the PraisonAI SubprocessSandbox, even in its strictest configuration. This could lead to privilege escalation, unauthorized access to sensitive data, and the potential compromise of the entire system. Specifically, an attacker could leverage this escape to access network resources, manipulate the filesystem, or extract sensitive information from cloud metadata services. The lack of effective sandboxing could have severe consequences for environments relying on PraisonAI for secure execution of untrusted code.

Recommendation

• Apply the suggested fix of using shlex.split() and shell=False when calling subprocess.run() to prevent shell command injection (reference: suggested fix code block).
• Upgrade PraisonAI to a version beyond 4.5.96 to incorporate the patch for CVE-2026-34955 (reference: CVE-2026-34955).
• Deploy the provided Sigma rule to detect the execution of sh or bash with the -c option, which is indicative of attempts to bypass command restrictions (reference: Sigma rule “Detect sh/bash Command Execution with -c Option”).
• Implement a more comprehensive blocklist that includes sh and bash as standalone executables in addition to dangerous patterns (reference: sandbox_executor.py:179).

]]>highadvisorysandbox-escapecommand-injectionpraisonaihttps://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-escape/Sun, 29 Mar 2026 13:17:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-escape/OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool, allowing sandboxed subagents to access and modify session data outside their intended scope.CVE-2026-32918 affects OpenClaw versions prior to 2026.3.11. The vulnerability resides in the session_status tool, which is intended to manage sandboxed subagents. However, a flaw allows these sandboxed agents to bypass their intended restrictions and access session data belonging to parent or sibling sessions. An attacker can exploit this by supplying arbitrary sessionKey values, enabling them to read and modify sensitive session data, including persisted model overrides, far beyond the…

]]>highadvisoryopenclawsandbox-escapeauthorizationhttps://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-bypass/Sun, 29 Mar 2026 13:16:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-bypass/OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability that allows low-privilege leaf subagents to access the subagents control surface and execute commands with broader tool policies due to insufficient authorization checks, potentially leading to privilege escalation and unauthorized control of sibling processes.<p>CVE-2026-32915 describes a critical sandbox escape vulnerability affecting OpenClaw versions prior to 2026.3.11. The flaw resides in the insufficient authorization checks implemented on subagent control requests. A low-privilege sandboxed leaf worker can exploit this to bypass the intended sandbox boundaries and access the subagents control surface. This allows the attacker to resolve requests against the parent requester scope, instead of being limited to their own session tree. This…</p> highadvisorysandbox-escapeprivilege-escalationcve-2026-32915https://feed.craftedsignal.io/briefs/2026-03-cve-2026-4725/Tue, 24 Mar 2026 13:16:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-cve-2026-4725/A use-after-free vulnerability in the Canvas2D component of Mozilla Firefox and Thunderbird versions before 149 allows for a potential sandbox escape.CVE-2026-4725 is a critical use-after-free vulnerability impacting the Canvas2D graphics component in Mozilla Firefox and Thunderbird. Specifically, versions prior to 149 are affected. This vulnerability could allow an attacker to potentially escape the browser’s or email client’s sandbox. The vulnerability stems from improper memory management in the Canvas2D component, where freed memory is accessed again. Successful exploitation of this flaw could grant an attacker elevated privileges or the…

]]>criticaladvisoryuse-after-freesandbox-escapefirefoxthunderbirdhttps://feed.craftedsignal.io/briefs/2026-03-firefox-use-after-free/Tue, 24 Mar 2026 13:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-use-after-free/A use-after-free vulnerability in the Disability Access APIs component of Mozilla Firefox and Thunderbird (CVE-2026-4688) allows for sandbox escape, potentially leading to arbitrary code execution outside the sandbox.<p>CVE-2026-4688 is a critical use-after-free vulnerability residing within the Disability Access APIs component of Mozilla Firefox and Thunderbird. Discovered and reported by Mozilla, this flaw allows for a sandbox escape, meaning an attacker could potentially execute arbitrary code outside the security sandbox normally imposed by the browser or email client. This vulnerability affects Firefox versions prior to 149, Firefox ESR (Extended Support Release) versions prior to 140.9, Thunderbird…</p> criticaladvisoryuse-after-freesandbox-escapecve-2026-4688https://feed.craftedsignal.io/briefs/2026-03-firefox-sandbox-escape/Tue, 24 Mar 2026 13:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-sandbox-escape/CVE-2026-4687 is a sandbox escape vulnerability in Firefox and Thunderbird due to incorrect boundary conditions in the Telemetry component, potentially allowing an attacker to execute arbitrary code outside the sandbox.<p>CVE-2026-4687 is a critical sandbox escape vulnerability affecting Mozilla Firefox and Thunderbird. The vulnerability stems from incorrect boundary conditions within the Telemetry component. Specifically, Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, and Thunderbird versions prior to 149 and 140.9 are affected. Successful exploitation could allow an attacker to bypass the intended security restrictions of the sandbox environment and potentially execute arbitrary…</p> criticaladvisorysandbox-escapefirefoxthunderbirdcve-2026-4687https://feed.craftedsignal.io/briefs/2024-01-cve-2026-4690-firefox-sandbox-escape/Tue, 24 Mar 2026 13:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cve-2026-4690-firefox-sandbox-escape/A sandbox escape vulnerability, identified as CVE-2026-4690, exists in the XPCOM component of Mozilla Firefox, Firefox ESR, and Thunderbird due to incorrect boundary conditions and an integer overflow, potentially allowing an attacker to execute arbitrary code outside the sandbox.<p>CVE-2026-4690 is a critical vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. The root cause lies in incorrect boundary conditions coupled with an integer overflow within the XPCOM component. Successful exploitation allows an attacker to bypass the sandbox protections, potentially leading to arbitrary code execution outside the confines of the browser&rsquo;s security measures. The vulnerability impacts Firefox versions earlier than 149, Firefox ESR versions prior to 115.34 and…</p> highadvisorysandbox escapeinteger overflowmozilla firefoxmozilla thunderbirdcve-2026-4690https://feed.craftedsignal.io/briefs/2026-03-chrome-uaf/Tue, 24 Mar 2026 01:17:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-chrome-uaf/A use-after-free vulnerability (CVE-2026-4676) in Google Chrome before 146.0.7680.165 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.<p>CVE-2026-4676 is a use-after-free vulnerability affecting Google Chrome versions prior to 146.0.7680.165. This flaw resides within the Dawn component of Chrome and can be triggered by a remote attacker who crafts a malicious HTML page. Successful exploitation could lead to a sandbox escape, granting the attacker elevated privileges within the system. This vulnerability was patched in the March 23, 2026 stable channel update for desktop. The vulnerability affects users on Windows, Linux, and…</p> highadvisoryuse-after-freesandbox-escapechromecve-2026-4676https://feed.craftedsignal.io/briefs/2024-01-vm2-sandbox-breakout/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-vm2-sandbox-breakout/VM2 is vulnerable to a sandbox breakout via the `__lookupGetter__` method, enabling attackers to execute arbitrary commands on the host system by exploiting context switching and property descriptor manipulation, leading to remote code execution.The vm2 library, a popular Node.js sandbox environment, is susceptible to a critical sandbox breakout vulnerability. This flaw allows malicious code executed within the vm2 sandbox to escape its confines and execute arbitrary commands on the host operating system. The vulnerability leverages the __lookupGetter__ method to bypass context isolation and gain access to host-level functions and objects. Previous attempts to mitigate similar issues were circumvented using Object.getOwnPropertyDescriptor to access the constructor property. The vulnerability affects vm2 versions 3.10.4 and earlier. Exploitation allows an attacker to achieve remote code execution with the privileges of the Node.js process running the vm2 sandbox, which could lead to significant system compromise.

Attack Chain

1. Attacker injects malicious JavaScript code into the vm2 sandbox.
2. The injected code retrieves the __lookupGetter__ method, which is used to access the getter of an object.
3. The malicious code obtains the apply method from the Buffer object within the sandbox.
4. The apply method is used to invoke the host version of __lookupGetter__ with Buffer and __proto__ as arguments, gaining access to the host’s prototype lookup method.
5. The host’s Function.prototype object is retrieved using the prototype lookup method.
6. The constructor property of the Function.prototype object is accessed using Object.getOwnPropertyDescriptor to bypass previous mitigation attempts.
7. The host Function constructor is used to create a new function that returns the process object, granting access to Node.js runtime functions on the host.
8. The code then uses child_process.execSync to execute arbitrary commands on the host system (e.g., touch pwned).

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the host system. Given the critical nature of many applications that employ sandboxing, this can lead to complete system compromise, data exfiltration, and denial of service. The vulnerability affects vm2 versions up to and including 3.10.4. The impact includes remote code execution, potentially leading to sensitive data exposure, system takeover, or further lateral movement within a network.

Recommendation

• Upgrade to a patched version of vm2 greater than 3.10.4 to remediate CVE-2026-24118.
• Implement strict input validation and sanitization to minimize the risk of malicious code injection into the vm2 sandbox.
• Monitor process creation events on the host system for suspicious activity originating from Node.js processes, which may indicate a sandbox escape (see the process_creation Sigma rule below).
• Monitor for the execution of commands such as child_process.execSync called from within vm2 sandboxes to detect potential exploitation attempts (see the nodejs_child_process_exec Sigma rule).

]]>criticaladvisorysandbox-escapercevm2https://feed.craftedsignal.io/briefs/2024-01-02-openlearnx-rce/Tue, 02 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-openlearnx-rce/A critical RCE vulnerability in OpenLearnX allows for sandbox escape and arbitrary command execution in versions prior to 2.0.3.A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-41900, has been identified in the OpenLearnX code execution environment. This vulnerability allows an attacker to escape the Python sandbox and execute arbitrary commands on the underlying system. The vulnerability affects OpenLearnX versions prior to 2.0.3. A patch has been released in version 2.0.3 to address this issue. This vulnerability allows attackers to potentially compromise the entire system hosting the OpenLearnX application, leading to data breaches, service disruption, or complete system takeover.

Attack Chain

1. An attacker crafts a malicious payload designed to exploit the Python sandbox environment within OpenLearnX.
2. This payload is submitted to the OpenLearnX application through a vulnerable code execution endpoint.
3. The application processes the malicious payload, failing to properly neutralize special elements.
4. The crafted payload bypasses the sandbox restrictions, gaining unauthorized access to system resources.
5. The attacker leverages OS Command Injection (CWE-78) and Code Injection (CWE-94) to execute arbitrary commands.
6. These commands can be used to install malware, modify system configurations, or exfiltrate sensitive data.
7. The attacker gains elevated privileges due to the Execution with Unnecessary Privileges (CWE-250) vulnerability.
8. The ultimate objective is to gain complete control over the OpenLearnX server, potentially impacting all hosted applications and data.

Impact

Successful exploitation of CVE-2026-41900 allows for complete system compromise, leading to potential data breaches, service disruption, or complete system takeover. While specific victim counts are unavailable, the severity of the vulnerability and ease of exploitation make it a critical concern for any organization using affected versions of OpenLearnX. Successful exploitation could lead to unauthorized access to sensitive data, modification of system configurations, and the installation of malware.

Recommendation

• Upgrade OpenLearnX to version 2.0.3 or later to patch CVE-2026-41900.
• Deploy the Sigma rule “Detect Suspicious OpenLearnX Code Execution” to your SIEM to detect potential exploitation attempts (see rule below).
• Implement strict input validation and sanitization measures to prevent OS command injection and code injection attacks.

]]>criticaladvisoryrcesandbox escapecode injectionhttps://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.OpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.

Attack Chain

1. An attacker crafts a malicious OpenClaw package or leverages an existing package.
2. The package contains a symlink within the intended sandbox directory.
3. The OpenClaw application attempts to write to a file via the symlink.
4. Between the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.
5. OpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.
6. This allows the attacker to overwrite or modify arbitrary files on the system.
7. The attacker leverages this capability to gain elevated privileges or compromise sensitive data.

Impact

Successful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.

Recommendation

• Upgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).
• Monitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule Detect OpenClaw Sandbox Escape via Symlink to detect potential exploitation attempts.
• Implement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).

]]>highadvisorysandbox-escapesymlinkrace-conditionnpm