AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-g6ww-w5j2-r7x3: BoxLite: Permission Bypass Allows Modification of Read-Only Files

criticalvulnerability

security

Source: GitHub Advisory DatabaseMay 21, 2026CVE-2026-46695

Summary

BoxLite is a sandbox service that runs untrusted code in lightweight virtual machines (VMs, which are isolated computing environments). It claims to protect host files by mounting directories in read-only mode (preventing writes), but the vulnerability bypasses this: BoxLite tells the underlying VM system (libkrun) to mount directories without actually enforcing read-only restrictions, and it doesn't limit container capabilities (special permissions), so malicious code can remount directories as read-write and modify files that should be protected.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 21, 2026

Classification

Attack Type

Supply Chain

Attack SophisticationModerate

Impact (CIA+S)

integrityconfidentiality

Affected Vendors

Affected Packages

boxlite-cli@< 0.9.0 (fixed: 0.9.0)boxlite@< 0.9.0 (fixed: 0.9.0)github.com/boxlite-ai/boxlite/sdks/go@< 0.9.0 (fixed: 0.9.0)@boxlite-ai/boxlite@< 0.9.0 (fixed: 0.9.0)boxlite@< 0.9.0 (fixed: 0.9.0)

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Similar attackNVD/CVE Database

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attack

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-g6ww-w5j2-r7x3

First tracked: May 21, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 92%