CVE-2026-46695: Boxlite: read-only bypass enables host code execution
GHSA-g6ww-w5j2-r7x3 CRITICAL CISA: ATTENDBoxlite's virtiofs read-only volume enforcement is fundamentally broken — malicious code inside the sandbox can remount any 'read-only' host directory as read-write using a single `mount -o remount,rw` command, because CAP_SYS_ADMIN is granted by default to all containers and the underlying hypervisor (libkrun) never enforces read-only at the device level. This hits directly at AI agent sandboxing use cases: user code, Python virtual environments, credentials, and configuration files are routinely mounted read-only into Boxlite containers, and any attacker who can submit code for execution — the intended use case — can now plant backdoors, modify packages for supply chain compromise, or steal credentials with zero user interaction. CVSS 10.0 critical with a public PoC and no workaround available; the only fix is upgrading all Boxlite SDKs (PyPI, npm, Go, crates.io) to version 0.9.0, which enforces read-only at the virtiofs device level via libkrun 1.18.0.
What is the risk?
Critical (CVSS 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). The exploit is a single deterministic shell command requiring no race conditions, special timing, or prior knowledge — squarely in script-kiddie territory once the advisory is public. CAP_SYS_ADMIN is granted by default to all Boxlite containers, making bypass reliable and universal. A working PoC is published in the advisory. Not yet in CISA KEV, but given that the attack vector (executing arbitrary code in a sandbox) is precisely the intended use case of Boxlite, every production deployment is inherently exposed. The scope change (S:C) in the CVSS vector confirms the sandbox trust boundary is completely defeated, elevating this beyond a typical container misconfiguration.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Boxlite | npm | < 0.9.0 | 0.9.0 |
| Boxlite | cargo | < 0.9.0 | 0.9.0 |
| Boxlite | pip | < 0.9.0 | 0.9.0 |
| Boxlite | cargo | < 0.9.0 | 0.9.0 |
| github.com/boxlite-ai/boxlite/sdks/go | go | < 0.9.0 | 0.9.0 |
How severe is it?
What is the attack surface?
What should I do?
5 steps-
IMMEDIATE — Upgrade all Boxlite SDK installations to 0.9.0 or later: PyPI
pip install --upgrade boxlite, npmnpm install @boxlite-ai/boxlite@latest, Gogo get github.com/boxlite-ai/boxlite/sdks/go@v0.9.0, Rustcargo update -p boxlite. There is no workaround for pre-0.9.0 versions; the vulnerability is architectural. -
AUDIT — Identify all host directories currently mounted into Boxlite sandboxes, especially those containing code, credentials, virtual environments, or configuration files. Treat any such directory as potentially compromised if exposed to untrusted code while running a pre-0.9.0 version.
-
ROTATE — If API keys, credentials, or tokens were accessible from mounted directories, rotate them immediately regardless of whether compromise is confirmed.
-
DETECT — Deploy file integrity monitoring (FIM) on all directories previously mounted into Boxlite sandboxes; unexpected writes to those paths are a strong indicator of post-exploitation activity.
-
VERIFY — After upgrading, replay the PoC remount command (
mount -o remount,rw <mount_point>) from within a sandbox to confirm it now fails with EPERM.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-46695?
Boxlite's virtiofs read-only volume enforcement is fundamentally broken — malicious code inside the sandbox can remount any 'read-only' host directory as read-write using a single `mount -o remount,rw` command, because CAP_SYS_ADMIN is granted by default to all containers and the underlying hypervisor (libkrun) never enforces read-only at the device level. This hits directly at AI agent sandboxing use cases: user code, Python virtual environments, credentials, and configuration files are routinely mounted read-only into Boxlite containers, and any attacker who can submit code for execution — the intended use case — can now plant backdoors, modify packages for supply chain compromise, or steal credentials with zero user interaction. CVSS 10.0 critical with a public PoC and no workaround available; the only fix is upgrading all Boxlite SDKs (PyPI, npm, Go, crates.io) to version 0.9.0, which enforces read-only at the virtiofs device level via libkrun 1.18.0.
Is CVE-2026-46695 actively exploited?
No confirmed active exploitation of CVE-2026-46695 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-46695?
1. IMMEDIATE — Upgrade all Boxlite SDK installations to 0.9.0 or later: PyPI `pip install --upgrade boxlite`, npm `npm install @boxlite-ai/boxlite@latest`, Go `go get github.com/boxlite-ai/boxlite/sdks/go@v0.9.0`, Rust `cargo update -p boxlite`. There is no workaround for pre-0.9.0 versions; the vulnerability is architectural. 2. AUDIT — Identify all host directories currently mounted into Boxlite sandboxes, especially those containing code, credentials, virtual environments, or configuration files. Treat any such directory as potentially compromised if exposed to untrusted code while running a pre-0.9.0 version. 3. ROTATE — If API keys, credentials, or tokens were accessible from mounted directories, rotate them immediately regardless of whether compromise is confirmed. 4. DETECT — Deploy file integrity monitoring (FIM) on all directories previously mounted into Boxlite sandboxes; unexpected writes to those paths are a strong indicator of post-exploitation activity. 5. VERIFY — After upgrading, replay the PoC remount command (`mount -o remount,rw <mount_point>`) from within a sandbox to confirm it now fails with EPERM.
What systems are affected by CVE-2026-46695?
This vulnerability affects the following AI/ML architecture patterns: AI agent sandboxed code execution, multi-agent frameworks with isolated tool execution, AI coding assistants and notebook services, automated ML pipelines executing untrusted code, AI-powered code review and CI testing systems.
What is the CVSS score for CVE-2026-46695?
CVE-2026-46695 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.29%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0010.005 AI Agent Tool AML.T0055 Unsecured Credentials AML.T0105 Escape to Host Compliance Controls Affected
What are the technical details?
Original Advisory
Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0.
Exploitation Scenario
An adversary submits a seemingly benign Python data-processing script to an AI agent service backed by Boxlite. The script includes a background thread that executes `mount -o remount,rw /mnt/agent-env` — remounting the Python virtual environment directory that was passed as read-only into the sandbox. Using write access now obtained, the script replaces `requests/__init__.py` in the mounted venv with a backdoored version that exfiltrates the `OPENAI_API_KEY` environment variable and establishes a reverse shell on first import. When the host-side agent process next calls any HTTP-dependent tool (which imports `requests`), the backdoor executes with host-level privileges. The modification persists after the Boxlite container exits, affecting all future agent invocations that use the same venv. The entire attack requires no user interaction, no authentication beyond normal sandbox access, and completes silently in milliseconds.
Weaknesses (CWE)
CWE-284 Improper Access Control
Primary
CWE-284 Improper Access Control
Primary
CWE-284 Improper Access Control CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Leakage CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Data Leakage CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution