CVE-2026-46695: Boxlite: read-only bypass enables host code execution

GHSA-g6ww-w5j2-r7x3 CRITICAL CISA: ATTEND
Published May 21, 2026
CISO Take

Boxlite's virtiofs read-only volume enforcement is fundamentally broken — malicious code inside the sandbox can remount any 'read-only' host directory as read-write using a single `mount -o remount,rw` command, because CAP_SYS_ADMIN is granted by default to all containers and the underlying hypervisor (libkrun) never enforces read-only at the device level. This hits directly at AI agent sandboxing use cases: user code, Python virtual environments, credentials, and configuration files are routinely mounted read-only into Boxlite containers, and any attacker who can submit code for execution — the intended use case — can now plant backdoors, modify packages for supply chain compromise, or steal credentials with zero user interaction. CVSS 10.0 critical with a public PoC and no workaround available; the only fix is upgrading all Boxlite SDKs (PyPI, npm, Go, crates.io) to version 0.9.0, which enforces read-only at the virtiofs device level via libkrun 1.18.0.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Critical (CVSS 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). The exploit is a single deterministic shell command requiring no race conditions, special timing, or prior knowledge — squarely in script-kiddie territory once the advisory is public. CAP_SYS_ADMIN is granted by default to all Boxlite containers, making bypass reliable and universal. A working PoC is published in the advisory. Not yet in CISA KEV, but given that the attack vector (executing arbitrary code in a sandbox) is precisely the intended use case of Boxlite, every production deployment is inherently exposed. The scope change (S:C) in the CVSS vector confirms the sandbox trust boundary is completely defeated, elevating this beyond a typical container misconfiguration.

How does the attack unfold?

Initial Access
Adversary submits malicious code for execution in a Boxlite sandbox — the intended use case requires no elevated privileges beyond normal sandbox access, making this the zero-cost entry point.
AML.T0049
Sandbox Escape
Malicious code executes `mount -o remount,rw <mount_point>` using CAP_SYS_ADMIN (granted by default to all containers), bypassing guest-side MS_RDONLY enforcement and gaining full write access to host directories.
AML.T0105
Persistence Staging
Attacker overwrites files in mounted Python virtual environments, agent tool directories, or configuration files with backdoored versions that will execute with host-level privileges when invoked by the host-side agent process.
AML.T0010.001
Host Impact
Modified code executes on the host when the agent imports the poisoned package or reads the altered config, enabling credential exfiltration, reverse shell establishment, or downstream supply chain compromise of all consumers of the infected environment.
AML.T0048

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Boxlite npm < 0.9.0 0.9.0
2.1K Pushed 2d ago 50% patched ~21d to patch Full package profile →
Boxlite cargo < 0.9.0 0.9.0
2.1K Pushed 2d ago 100% patched ~21d to patch Full package profile →
Boxlite pip < 0.9.0 0.9.0
2.1K 4 dependents Pushed 2d ago 50% patched ~21d to patch Full package profile →
Boxlite cargo < 0.9.0 0.9.0
2.1K Pushed 2d ago 100% patched ~21d to patch Full package profile →
github.com/boxlite-ai/boxlite/sdks/go go < 0.9.0 0.9.0

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 21% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A None

What should I do?

5 steps
  1. IMMEDIATE — Upgrade all Boxlite SDK installations to 0.9.0 or later: PyPI pip install --upgrade boxlite, npm npm install @boxlite-ai/boxlite@latest, Go go get github.com/boxlite-ai/boxlite/sdks/go@v0.9.0, Rust cargo update -p boxlite. There is no workaround for pre-0.9.0 versions; the vulnerability is architectural.

  2. AUDIT — Identify all host directories currently mounted into Boxlite sandboxes, especially those containing code, credentials, virtual environments, or configuration files. Treat any such directory as potentially compromised if exposed to untrusted code while running a pre-0.9.0 version.

  3. ROTATE — If API keys, credentials, or tokens were accessible from mounted directories, rotate them immediately regardless of whether compromise is confirmed.

  4. DETECT — Deploy file integrity monitoring (FIM) on all directories previously mounted into Boxlite sandboxes; unexpected writes to those paths are a strong indicator of post-exploitation activity.

  5. VERIFY — After upgrading, replay the PoC remount command (mount -o remount,rw <mount_point>) from within a sandbox to confirm it now fails with EPERM.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE 2.2 - Risk responses for AI risks
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46695?

Boxlite's virtiofs read-only volume enforcement is fundamentally broken — malicious code inside the sandbox can remount any 'read-only' host directory as read-write using a single `mount -o remount,rw` command, because CAP_SYS_ADMIN is granted by default to all containers and the underlying hypervisor (libkrun) never enforces read-only at the device level. This hits directly at AI agent sandboxing use cases: user code, Python virtual environments, credentials, and configuration files are routinely mounted read-only into Boxlite containers, and any attacker who can submit code for execution — the intended use case — can now plant backdoors, modify packages for supply chain compromise, or steal credentials with zero user interaction. CVSS 10.0 critical with a public PoC and no workaround available; the only fix is upgrading all Boxlite SDKs (PyPI, npm, Go, crates.io) to version 0.9.0, which enforces read-only at the virtiofs device level via libkrun 1.18.0.

Is CVE-2026-46695 actively exploited?

No confirmed active exploitation of CVE-2026-46695 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46695?

1. IMMEDIATE — Upgrade all Boxlite SDK installations to 0.9.0 or later: PyPI `pip install --upgrade boxlite`, npm `npm install @boxlite-ai/boxlite@latest`, Go `go get github.com/boxlite-ai/boxlite/sdks/go@v0.9.0`, Rust `cargo update -p boxlite`. There is no workaround for pre-0.9.0 versions; the vulnerability is architectural. 2. AUDIT — Identify all host directories currently mounted into Boxlite sandboxes, especially those containing code, credentials, virtual environments, or configuration files. Treat any such directory as potentially compromised if exposed to untrusted code while running a pre-0.9.0 version. 3. ROTATE — If API keys, credentials, or tokens were accessible from mounted directories, rotate them immediately regardless of whether compromise is confirmed. 4. DETECT — Deploy file integrity monitoring (FIM) on all directories previously mounted into Boxlite sandboxes; unexpected writes to those paths are a strong indicator of post-exploitation activity. 5. VERIFY — After upgrading, replay the PoC remount command (`mount -o remount,rw <mount_point>`) from within a sandbox to confirm it now fails with EPERM.

What systems are affected by CVE-2026-46695?

This vulnerability affects the following AI/ML architecture patterns: AI agent sandboxed code execution, multi-agent frameworks with isolated tool execution, AI coding assistants and notebook services, automated ML pipelines executing untrusted code, AI-powered code review and CI testing systems.

What is the CVSS score for CVE-2026-46695?

CVE-2026-46695 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

AI agent sandboxed code executionmulti-agent frameworks with isolated tool executionAI coding assistants and notebook servicesautomated ML pipelines executing untrusted codeAI-powered code review and CI testing systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.005 AI Agent Tool
AML.T0055 Unsecured Credentials
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0.

Exploitation Scenario

An adversary submits a seemingly benign Python data-processing script to an AI agent service backed by Boxlite. The script includes a background thread that executes `mount -o remount,rw /mnt/agent-env` — remounting the Python virtual environment directory that was passed as read-only into the sandbox. Using write access now obtained, the script replaces `requests/__init__.py` in the mounted venv with a backdoored version that exfiltrates the `OPENAI_API_KEY` environment variable and establishes a reverse shell on first import. When the host-side agent process next calls any HTTP-dependent tool (which imports `requests`), the backdoor executes with host-level privileges. The modification persists after the Boxlite container exits, affecting all future agent invocations that use the same venv. The entire attack requires no user interaction, no authentication beyond normal sandbox access, and completes silently in milliseconds.

Weaknesses (CWE)

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Timeline

Published
May 21, 2026
Last Modified
June 11, 2026
First Seen
May 22, 2026

Related Vulnerabilities