Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: sandbox-escape (6 articles)Clear

Cursor flaws let a poisoned prompt escape the AI coding sandbox and run commands

Researchers at Cato AI Labs detailed two flaws, dubbed DuneSlide, in the AI code editor Cursor that let a prompt-injection attack break out of the sandbox Cursor uses to contain the commands its agent runs. The attacker never types anything: they plant instructions in content the agent reads on the user's behalf, such as a connected MCP service or a web page. One flaw abuses a working-directory setting to get an attacker path added to the allowed-write list, letting injected commands overwrite the sandbox helper itself and then run with no sandbox. Both are rated 9.8 and are fixed in Cursor 3.0; every earlier version is affected, so users should update.

Check
Confirm Cursor is updated to 3.0 or later on developer machines, and review whether your AI coding agents can be steered by content they read from MCP servers, web pages, or repositories.
Affected
Developers running Cursor versions before 3.0 (CVE-2026-50548 and CVE-2026-50549); a prompt injection hidden in content the agent reads can escape the command sandbox and run arbitrary commands on the machine.
Fix
Update Cursor to 3.0 or later, keep the agent's command sandbox enabled, and treat everything an AI coding agent reads, from MCP tools to web pages, as potentially hostile rather than trusted.

Chrome patches record 429 flaws, including a sandbox-escape RCE

Google shipped Chrome 149 with fixes for 429 security bugs, the most ever in a single Chrome release. More than 100 are rated critical or high. The worst, an out-of-bounds read and write in the ANGLE graphics engine that Chrome uses to render web pages, lets a booby-trapped website break out of the browser's protective sandbox and run code on the victim's computer; Google paid a $97,000 bounty for it. None are confirmed under attack yet, but a sandbox escape is the kind of bug attackers race to weaponize, so patching before that happens matters.

Check
Check the Chrome version on every managed endpoint (chrome://version or your MDM inventory) and confirm Chromium-based browsers like Edge and Brave are also updated.
Affected
Google Chrome before version 149 on Windows, macOS, and Linux. Worst flaw CVE-2026-10881 (CVSS 9.6), an ANGLE out-of-bounds read and write enabling sandbox escape.
Fix
Update Chrome to version 149 or later and relaunch to apply it. Push the update through enterprise policy and patch Edge, Brave, and other Chromium browsers.

OpenClaw 'Claw Chain': four sandbox-escape and priv-esc flaws on ~180K public AI agent instances (patched 2026.4.22)

Researchers at Cyera have disclosed a chain of four vulnerabilities in OpenClaw, an open-source autonomous AI agent platform that Nvidia and Tencent have built enterprise products on top of. The chain - CVE-2026-44112 (CVSS 9.6), CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118 - lets an attacker who can influence the agent's input (through a malicious plugin, prompt injection, or compromised tool output) break out of the OpenShell sandbox, read environment-stored API keys, elevate to owner-level privileges, and write persistent backdoors. Each step looks like normal agent behavior. Shodan and Zoomeye between them counted 65,000 to 180,000 public OpenClaw instances earlier in May. All flaws are fixed in OpenClaw 2026.4.22.

Check
Inventory OpenClaw, NemoClaw, and ClawPro deployments. Check installed version via --version or /api/version. Search agent logs for unexpected symlink creation or env-var reads inside heredocs.
Affected
All OpenClaw releases prior to version 2026.4.22 (April 23, 2026). Nvidia NemoClaw and Tencent ClawPro builds derived from older OpenClaw cores inherit the same flaws unless rebased.
Fix
Update to OpenClaw 2026.4.22 or later. Until then, scope the OpenShell sandbox to a read-only filesystem, strip secrets from the agent's environment, and route egress through a logging proxy.

vm2, the Node.js sandbox library used by 1.3 million projects to run untrusted code, just got hit with a dozen new bugs that let attackers escape the sandbox

vm2 maintainers disclosed a fresh batch of a dozen sandbox-escape vulnerabilities yesterday, including CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 - all CVSS 10.0. The library is used by 1.3 million weekly downloads worth of Node.js projects to run untrusted JavaScript inside a supposedly safe sandbox - online code runners, chatbots, automation tools, and SaaS platforms with user scripts. Each bug breaks the sandbox in a different way: prototype pollution, sandbox escape via inspect functions, allowlist bypass to reach child_process. vm2 was deprecated in 2023 over similar issues, then resurrected last October. Over 20 documented sandbox-escape bugs - the maintainer himself recommends Docker isolation instead.

Check
Search package.json and yarn.lock files across your codebase for vm2 dependencies. Check version - anything below 3.11.2 needs updating. Audit which features process attacker-controlled input through vm2.
Affected
vm2 versions 3.10.0 through 3.11.1. Patches landed in 3.11.0, 3.11.1, and 3.11.2. CVE-2026-43997, 44005, 44006 are CVSS 10.0. Acute risk: applications running user-supplied JavaScript through vm2 - chatbots, online code editors, automation platforms, and SaaS apps with custom-script features.
Fix
Upgrade vm2 to 3.11.2. For applications running attacker-controlled JavaScript, migrate off vm2 entirely - the maintainer recommends isolated-vm or Docker with logical separation. Don't rely on vm2 alone: combine with network isolation, filesystem restrictions, and ephemeral containers. Review CI/CD for transitive vm2 dependencies via 'npm ls vm2' - 885 packages directly depend on it.

Cohere's Terrarium AI code sandbox has a root-level escape with no patch coming (CVE-2026-5752, CVSS 9.3)

A critical sandbox-escape flaw in Cohere AI's open-source Terrarium project lets code running inside the sandbox break out and execute arbitrary commands as root on the host Node.js process. Terrarium is a Python sandbox built on Pyodide (a browser- and Node.js-compatible Python distribution running in WebAssembly) and deployed as a Docker container to safely run untrusted code submitted by users or generated by a large language model. That exact use case makes the blast radius real: any AI product using Terrarium to evaluate LLM-generated Python code is giving its models a direct path to root on the container and, from there, potentially on the host. The flaw (CVE-2026-5752, CVSS 9.3) stems from JavaScript prototype chain traversal in the Pyodide WebAssembly environment: sandboxed code can reach parent and global object prototypes to manipulate objects in the host, a technique SentinelOne describes as prototype pollution bypassing the intended security boundaries. Exploitation needs local access to the sandbox but no special privileges or user interaction. The project has been starred 312 times and forked 56 times. Because Cohere is no longer actively maintaining Terrarium, the flaw is unlikely to ever be patched. Security researcher Jeremy Brown reported the issue.

Check
Search your AI and data-engineering stack for any use of Cohere's Terrarium (direct or as a dependency or fork) and identify whether user-submitted or LLM-generated code is routed through it.
Affected
All versions of Cohere AI Terrarium and any fork that inherits the Pyodide prototype traversal issue. The project is unmaintained - no patched version will be published.
Fix
Stop accepting user- or LLM-submitted code into Terrarium sandboxes. CERT/CC advises disabling any feature that submits code to Terrarium, segmenting the network so a compromised container cannot reach other services, restricting container and orchestrator access to authorized personnel, and deploying a WAF to block exploitation patterns. The only durable fix is to migrate off Terrarium to a maintained sandbox (gVisor, Firecracker, or a commercially supported code-execution service) with per-request ephemeral VMs and strict egress controls.

Cohere's Terrarium AI sandbox breaks out to root on the host with no vendor patch in sight (CVE-2026-5752)

CERT Coordination Center disclosed CVE-2026-5752, a CVSS 9.3 sandbox escape in Cohere's open source Terrarium, a Python sandbox that runs on Pyodide (a WebAssembly Python distribution for Node.js) and is used to execute untrusted or LLM-generated code inside a Docker container. The flaw lets code running inside the Pyodide sandbox traverse the JavaScript prototype chain to reach the host Node.js Function constructor, compile arbitrary JavaScript in the host realm, and execute it as root inside the container. From that point attackers can read /etc/passwd and environment variables, reach other services on the container network, and attempt a further container escape. Critically, CERT/CC notes it was unable to coordinate a patch with Cohere, so no fix has shipped. Terrarium has 312 GitHub stars and 56 forks - a moderate audience, but anyone running it is a poster-child target for prompt-injection attacks that instruct the LLM to emit sandbox-breaking code. The underlying prototype-chain traversal pattern is the same technique seen in January's CVE-2026-22686 against the enclave-vm sandbox.

Check
If you run Terrarium anywhere in your stack (including behind an AI product that evaluates user-supplied Python) take it offline until you can wrap it in a second isolation layer or replace it with a hardened alternative.
Affected
All currently-available versions of Cohere Terrarium (github.com/cohere-ai/cohere-terrarium). The JavaScript prototype-chain traversal in Pyodide WebAssembly is exploitable by any code the sandbox accepts for execution - including code an LLM generates from a user prompt, which is the entire point of the product. CERT/CC confirmed there is no vendor patch as of the advisory.
Fix
Disable any feature that lets users (or an upstream LLM) submit arbitrary code to Terrarium. Wrap Terrarium deployments in a second isolation layer - gVisor or Firecracker microVMs for stronger kernel isolation, strict network egress policies, read-only root filesystems, and dropped Linux capabilities including CAP_SYS_ADMIN. Segment Terrarium containers so they cannot reach internal APIs, databases, or metadata services. Monitor for unexpected root-level process creation inside Terrarium containers and alert on any Node.js Function constructor invocation originating from sandbox code. For new AI-code-execution use cases, evaluate alternatives like the Deno-based approach with explicit permission flags or E2B's hardened cloud sandboxes.