Before you open this issue
Behavioral fingerprint
A code-execution tool/sandbox intended to confine agent-generated or agent-invoked code fails to enforce its isolation boundary — a crafted payload (e.g. via JavaScript prototype-chain traversal) breaks out of the intended sandbox to achieve code execution with host-level (including root) privileges, regardless of whether the code that triggered it was itself malicious or a legitimately-authorized snippet.
Why this is a new class, not a variant
Checked against AVE-2026-00042 (Prompt Injection - REPL Code Mode Payload Injection): that record is about how malicious code gets into the agent's generated code — data breaking out of a string/data context into code context via poisoned tool results.
This candidate is about what happens after code is already executing inside an intended sandbox: a flaw in the sandbox's own containment, exploitable even by code the agent was authorized to run. Different point in the kill chain (content-to-code injection vs. code-to-host escape), different defense (input/context separation vs. isolation hardening — microVM/gVisor-class boundaries vs. shared-kernel containers). Folding this into 00042 would lose the distinction that this vulnerability exists independent of how the code arrived — it's a property of the execution tool itself, not of any injection technique.
Primary source
NVD CVE-2026-5752 — Cohere Terrarium v1.0.1, sandbox escape via JavaScript prototype-chain traversal, CVSS 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Reported by CERT/CC 2026-04-14, last modified 2026-06-17. Verified directly against NVD.
Note: an earlier, weaker candidate for this class (an "AI escaped its sandbox" anecdote) was researched and dropped during the benchmark pass — its only source was a low-credibility content-mill site with no primary disclosure behind it, which does not meet this project's sourcing bar. This issue relies solely on the independently NVD-confirmed, CERT/CC-reported CVE-2026-5752.
Proposed record skeleton
attack_class: Execution Hijack - Code Execution Sandbox Escape (naming open to discussion —
matches the "Execution Hijack" category already used by AVE-2026-00046 Tool
Hook Interception, since both describe a component breaking an intended
execution/trust boundary)
severity: CRITICAL (est., CVE-2026-5752 CVSS 9.3)
owasp_mcp: [MCP05, MCP07] (MCP05 = Command Injection and Execution, terminal effect is
arbitrary host execution; MCP07 = Insufficient Authentication and
Authorization, secondary, since the sandbox boundary is itself a
trust/authorization boundary being broken)
owasp_asi: (none proposed — TBD during implementation)
mitre_atlas: none — classic sandbox-isolation flaw, outside ATLAS's ML-adversarial-
technique scope
detection_layer: runtime (the escape only manifests during actual code execution in the
sandbox; not detectable by static scan of skill/prompt content, since the
exploit lives in the execution tool's own isolation implementation)
detection_stage: runtime_observed
evidence_basis_engines: [sandbox, llm]
Real-world evidence
CVE-2026-5752, CVSS 9.3, CERT/CC-reported, NVD-confirmed. Pushes THM toward 1.0 in AIVSS scoring.
Indicators of compromise
- Executed code contains prototype-chain manipulation patterns (e.g.
__proto__, constructor.constructor) targeting the host JavaScript/Python runtime rather than objects within the sandboxed execution context
- Sandbox/code-execution process observed accessing host-level resources (filesystem paths, network interfaces, process list, environment variables) outside its declared execution boundary
- Code-execution tool process running with root or unrestricted host privileges rather than a scoped service account or dedicated microVM/container identity
Researcher
Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)
Before you open this issue
records/directoryBehavioral fingerprint
A code-execution tool/sandbox intended to confine agent-generated or agent-invoked code fails to enforce its isolation boundary — a crafted payload (e.g. via JavaScript prototype-chain traversal) breaks out of the intended sandbox to achieve code execution with host-level (including root) privileges, regardless of whether the code that triggered it was itself malicious or a legitimately-authorized snippet.
Why this is a new class, not a variant
Checked against AVE-2026-00042 (Prompt Injection - REPL Code Mode Payload Injection): that record is about how malicious code gets into the agent's generated code — data breaking out of a string/data context into code context via poisoned tool results.
This candidate is about what happens after code is already executing inside an intended sandbox: a flaw in the sandbox's own containment, exploitable even by code the agent was authorized to run. Different point in the kill chain (content-to-code injection vs. code-to-host escape), different defense (input/context separation vs. isolation hardening — microVM/gVisor-class boundaries vs. shared-kernel containers). Folding this into 00042 would lose the distinction that this vulnerability exists independent of how the code arrived — it's a property of the execution tool itself, not of any injection technique.
Primary source
NVD CVE-2026-5752 — Cohere Terrarium v1.0.1, sandbox escape via JavaScript prototype-chain traversal, CVSS 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Reported by CERT/CC 2026-04-14, last modified 2026-06-17. Verified directly against NVD.
Note: an earlier, weaker candidate for this class (an "AI escaped its sandbox" anecdote) was researched and dropped during the benchmark pass — its only source was a low-credibility content-mill site with no primary disclosure behind it, which does not meet this project's sourcing bar. This issue relies solely on the independently NVD-confirmed, CERT/CC-reported CVE-2026-5752.
Proposed record skeleton
Real-world evidence
CVE-2026-5752, CVSS 9.3, CERT/CC-reported, NVD-confirmed. Pushes THM toward 1.0 in AIVSS scoring.
Indicators of compromise
__proto__,constructor.constructor) targeting the host JavaScript/Python runtime rather than objects within the sandboxed execution contextResearcher
Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)