AML.T0105

Escape to Host

Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment. There are many ways an adversary may escape from a container or sandbox environment via AI Systems. For example, modifying an AI Agent's configuration to disable safety features or user confirmations could allow the adversary to invoke tools to be run on host environments rather than in the sandbox.

58 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2026-39888	praisonaiagents: sandbox escape enables host RCE	praisonaiagents	10.0
CRITICAL	CVE-2026-34938	praisonaiagents: sandbox bypass enables full host RCE	praisonaiagents	10.0
CRITICAL	CVE-2025-5120	smolagents: sandbox escape enables unauthenticated RCE	smolagents	10.0
CRITICAL	CVE-2026-27494	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-0863	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-27577	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-27495	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-25115	n8n: Protection Bypass circumvents security controls	n8n	9.9
CRITICAL	CVE-2026-25049	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-1470	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2025-68668	n8n: Protection Bypass circumvents security controls	n8n	9.9
CRITICAL	CVE-2026-21877	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2026-33309	langflow: Path Traversal enables file access	langflow	9.9
CRITICAL	CVE-2026-25592	semantic-kernel: Path Traversal enables file access	semantic-kernel	9.9
CRITICAL	CVE-2026-27966	langflow: Code Injection enables RCE	langflow	9.8
CRITICAL	CVE-2024-42835	Langflow: Unauthenticated RCE via PythonCodeTool	langflow	9.8
CRITICAL	CVE-2026-2654	smolagents: SSRF allows internal network access	smolagents	9.8
CRITICAL	CVE-2026-41268	Flowise: unauthenticated RCE via NODE_OPTIONS env injection	flowise	9.8
CRITICAL	CVE-2024-48061	Langflow: RCE via unsandboxed code component execution	langflow	9.8
CRITICAL	CVE-2025-15036	MLflow: path traversal enables sandbox escape, file overwrite	mlflow	9.6
CRITICAL	CVE-2026-35216	Budibase: Unauthenticated RCE as root via webhook		9.1
CRITICAL	CVE-2025-15031	mlflow: Path Traversal enables file access	mlflow	9.1
CRITICAL	CVE-2026-44007	vm2: sandbox escape via nesting:true enables RCE	vm2	9.1
CRITICAL	CVE-2026-27493	n8n: Code Injection enables RCE	n8n	9.0
HIGH	CVE-2025-68613	n8n: security flaw enables exploitation	n8n	8.8
HIGH	CVE-2026-35044	BentoML: malicious bento archive RCE via Jinja2 SSTI	bentoml	8.8
HIGH	CVE-2026-34955	PraisonAI: sandbox escape via shell=True blocklist bypass	praisonai	8.8
HIGH	CVE-2026-40158	PraisonAI: AST sandbox bypass enables host RCE	PraisonAI	8.6
HIGH	CVE-2024-6982	lollms: RCE via eval() sandbox bypass in Calculate	lollms	8.4
HIGH	CVE-2026-2033	mlflow: Path Traversal enables file access	mlflow	8.1
HIGH	CVE-2024-8060	OpenWebUI: path traversal RCE via audio upload API	open-webui	8.1
HIGH	CVE-2026-27905	bentoml: security flaw enables exploitation	bentoml	7.8
HIGH	GHSA-hr5v-j9h9-xjhg	OpenClaw: sandbox escape via mediaUrl path traversal	openclaw	7.7
HIGH	GHSA-cvrr-qhgw-2mm6	Flowise: unauthenticated RCE via FILE-STORAGE bypass	flowise-components	7.7
HIGH	CVE-2025-14287	mlflow: Code Injection enables RCE	mlflow	7.5
MEDIUM	GHSA-gpx9-96j6-pp87	agentos-taskweaver: Protection Bypass circumvents security controls		6.5
MEDIUM	CVE-2026-4963	smolagents: code injection via incomplete sandbox fix	smolagents	6.3
MEDIUM	CVE-2025-12695	dspy: security flaw enables exploitation		5.9
MEDIUM	CVE-2025-8917	clearml: path traversal in safe_extract → RCE risk	clearml	5.8
MEDIUM	CVE-2025-61914	n8n: XSS enables session hijacking	n8n	5.4
MEDIUM	CVE-2025-68697	n8n: security flaw enables exploitation	n8n	5.4
MEDIUM	CVE-2025-3000	PyTorch: memory corruption in torch.jit.script compiler	pytorch	5.3
MEDIUM	CVE-2026-34452	Anthropic SDK: TOCTOU symlink escape in async memory tool	anthropic	—
UNKNOWN	CVE-2025-66479	Anthropic: Protection Bypass circumvents security controls		—
MEDIUM	GHSA-42mx-vp8m-j7qh	openclaw: sandbox escape via mirror mode hook execution	openclaw	—
HIGH	CVE-2026-0770	langflow: security flaw enables exploitation	langflow	—
HIGH	GHSA-7437-7hg8-frrw	OpenClaw: env var injection enables host RCE	openclaw	—
MEDIUM	GHSA-w9j9-w4cp-6wgr	openclaw: env var injection enables host exec hijacking	openclaw	—
UNKNOWN	CVE-2026-0771	langflow: Code Injection enables RCE	langflow	—
CRITICAL	GHSA-v38x-c887-992f	Flowise: prompt injection bypasses Python sandbox RCE	flowise-components	—
CRITICAL	GHSA-9wc7-mj3f-74xv	Flowise CSVAgent: RCE via Python code injection	flowise-components	—
UNKNOWN	CVE-2026-2275	CrewAI: RCE via Docker fallback in CodeInterpreter		—
MEDIUM	GHSA-5h3g-6xhh-rg6p	openclaw: TOCTOU race allows out-of-sandbox file read	openclaw	—
HIGH	GHSA-wppj-c6mr-83jj	openclaw: TOCTOU sandbox escape via symlink swap	openclaw	—
UNKNOWN	CVE-2026-42234	n8n: Python sandbox escape enables container RCE	n8n	—
UNKNOWN	CVE-2026-2287	CrewAI: Docker sandbox fallback enables RCE		—
HIGH	CVE-2026-39861	Claude Code: sandbox escape via symlink allows arbitrary write	@anthropic-ai/claude-code	—
UNKNOWN	CVE-2025-59532	OpenAI Codex CLI: sandbox escape via model-generated cwd		—