CVE-2026-46703: Boxlite OCI symlink traversal

CISO Take

Boxlite, a sandbox service used to isolate untrusted OCI container workloads, fails to validate symlinks pointing to absolute paths during tar extraction, allowing an adversary to overwrite arbitrary files on the host and achieve full remote code execution. With a CVSS score of 9.6 and no privileges required, the supply chain delivery vector — publishing a malicious image to DockerHub and waiting for any user to pull it — means exploitation is passive and broadly scalable across any team using Boxlite for sandboxed AI agent execution, model evaluation, or code generation workflows. While no public exploit or CISA KEV listing exists yet, the symlink/tar-slip vulnerability class is mature and reliably weaponizable with moderate skill, making this a high-probability exploitation window before patches are widely deployed. Upgrade to v0.9.0 immediately, restrict image sources to signed and verified registries, and rotate credentials on any host that has run Boxlite with externally sourced images.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. CVSS 9.6 with network vector, low complexity, no privileges required, and scope change (S:C) confirms host-level blast radius beyond the container boundary. The vulnerability class — CWE-22 path traversal via symlinks in OCI tar extraction — is well-documented and has known weaponization patterns in the container security community. The supply chain delivery mechanism via public registries amplifies reach: a single malicious image on DockerHub can passively compromise any downstream host. AI/ML teams are disproportionately exposed because they routinely pull external images to run models, agents, or evaluation harnesses under the false assumption that container sandboxing provides host isolation.

How does the attack unfold?

Supply Chain Staging

Adversary crafts a malicious OCI image containing tar entries with symlinks resolving to absolute host paths and publishes it to a public registry under a convincing name.

AML.T0010.004

User Execution

An engineer or automated pipeline loads the malicious image into Boxlite to execute an AI workload, triggering tar extraction without symlink path validation.

AML.T0011

Container Escape

Boxlite follows the symlink during extraction and writes attacker-controlled content to an arbitrary absolute path on the host filesystem such as a cron directory or SSH configuration.

AML.T0105

Host Compromise

Attacker achieves persistent RCE on the host with full access to AI model weights, API credentials, training data, and all co-tenant workloads running on the same infrastructure.

AML.T0072

Supply Chain Staging

Adversary crafts a malicious OCI image containing tar entries with symlinks resolving to absolute host paths and publishes it to a public registry under a convincing name.

AML.T0010.004

User Execution

An engineer or automated pipeline loads the malicious image into Boxlite to execute an AI workload, triggering tar extraction without symlink path validation.

AML.T0011

Container Escape

Boxlite follows the symlink during extraction and writes attacker-controlled content to an arbitrary absolute path on the host filesystem such as a cron directory or SSH configuration.

AML.T0105

Host Compromise

Attacker achieves persistent RCE on the host with full access to AI model weights, API credentials, training data, and all co-tenant workloads running on the same infrastructure.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Boxlite	npm	—	No patch
2.1K Pushed 4d ago 50% patched ~20d to patch Full package profile →

Do you use Boxlite? You're affected.

How severe is it?

CVSS 3.1

9.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

What should I do?

6 steps

Upgrade Boxlite to v0.9.0 immediately — the only complete remediation.
Restrict image pulls to verified, signed registries using Cosign/Sigstore; block public registry access in production pipelines.
Pre-load scan OCI image tar archives for symlink entries resolving to absolute paths using Syft, Grype, or custom tar inspection scripts.
Monitor container overlay filesystems for write activity targeting paths outside expected container boundaries (auditd, Falco).
Rotate all credentials and secrets stored on hosts that have run Boxlite with externally sourced images since the last known-good state.
Audit image pull history and treat unrecognized or recently added images as potentially malicious pending investigation.

How is it classified?

Supply Chain Code Execution Agent Inference AML.T0010.004 - Container Registry AML.T0011 - User Execution AML.T0074 - Masquerading AML.T0079 - Stage Capabilities AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - AI system risk management

NIST AI RMF

GOVERN 6.2 - Policies for third-party AI risk

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-46703?

Boxlite, a sandbox service used to isolate untrusted OCI container workloads, fails to validate symlinks pointing to absolute paths during tar extraction, allowing an adversary to overwrite arbitrary files on the host and achieve full remote code execution. With a CVSS score of 9.6 and no privileges required, the supply chain delivery vector — publishing a malicious image to DockerHub and waiting for any user to pull it — means exploitation is passive and broadly scalable across any team using Boxlite for sandboxed AI agent execution, model evaluation, or code generation workflows. While no public exploit or CISA KEV listing exists yet, the symlink/tar-slip vulnerability class is mature and reliably weaponizable with moderate skill, making this a high-probability exploitation window before patches are widely deployed. Upgrade to v0.9.0 immediately, restrict image sources to signed and verified registries, and rotate credentials on any host that has run Boxlite with externally sourced images.

Is CVE-2026-46703 actively exploited?

No confirmed active exploitation of CVE-2026-46703 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46703?

1. Upgrade Boxlite to v0.9.0 immediately — the only complete remediation. 2. Restrict image pulls to verified, signed registries using Cosign/Sigstore; block public registry access in production pipelines. 3. Pre-load scan OCI image tar archives for symlink entries resolving to absolute paths using Syft, Grype, or custom tar inspection scripts. 4. Monitor container overlay filesystems for write activity targeting paths outside expected container boundaries (auditd, Falco). 5. Rotate all credentials and secrets stored on hosts that have run Boxlite with externally sourced images since the last known-good state. 6. Audit image pull history and treat unrecognized or recently added images as potentially malicious pending investigation.

What systems are affected by CVE-2026-46703?

This vulnerability affects the following AI/ML architecture patterns: sandboxed code execution environments, AI agent frameworks, model evaluation pipelines, containerized training pipelines, multi-tenant inference environments.

What is the CVSS score for CVE-2026-46703?

CVE-2026-46703 has a CVSS v3.1 base score of 9.6 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

sandboxed code execution environmentsAI agent frameworksmodel evaluation pipelinescontainerized training pipelinesmulti-tenant inference environments

MITRE ATLAS Techniques

AML.T0010.004 Container Registry

AML.T0011 User Execution

AML.T0074 Masquerading

AML.T0079 Stage Capabilities

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.

Exploitation Scenario

An adversary publishes a maliciously crafted OCI image to DockerHub disguised as a GPU-optimized AI inference runtime or agent execution environment. An AI engineer or automated CI/CD pipeline loads this image into Boxlite to run model evaluation or an agentic task. During image extraction, Boxlite processes a tar entry that is a symlink resolving to an absolute host path such as /etc/cron.d/backdoor. Without symlink validation, Boxlite follows the link and writes the adversary's cron payload directly to the host filesystem. The cron daemon executes the payload within the next scheduled interval, establishing a reverse shell or persistent implant with host-level privileges — granting full access to model weights, API keys, database credentials, and all co-tenant workloads on the same host.