HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46703Published Modified CNA GitHub_M

CVE-2026-46703: BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in BoxLite, the sandbox service for running OCI containers inside lightweight virtual machines, allows an unauthenticated attacker to write arbitrary files to the host filesystem. The attack is delivered over the network and requires a user to load a malicious OCI image, which the attacker can distribute through public registries like DockerHub. Successful exploitation enables arbitrary file writes on the host, which leads directly to remote code execution outside the sandbox boundary. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-46703 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle or extend boxlite.

Available
Triage

Triage is available using the CVSS v3.1 base score of 9.6 (Critical), weighted further against each customer organization's per-environment compliance policies. Findings are routed to the appropriate team inbox within each customer org based on configured ownership and severity thresholds.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 0.9.0 or a later fix is released upstream. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious OCI image over the network, requiring the victim's BoxLite host to be reachable or for the attacker to publish the image to a publicly accessible registry the victim pulls from.

  • AuthenticationNot required

    No authentication or account privileges are needed on the target host; the attacker only needs to publish a malicious image to a registry the victim pulls from.

  • Victim interactionRequired

    A user must be tricked into pulling and loading the attacker-crafted OCI image, making social engineering or malicious image distribution the delivery mechanism.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and places no special environmental conditions or race-condition requirements on the attacker.

Blast Radius

  • Writes arbitrary file content to any path on the host filesystem, bypassing the sandbox boundary entirely.
  • Overwrites sensitive host files (such as cron jobs, SSH authorized keys, or init scripts) to achieve persistent remote code execution on the host.
  • Modifies container runtime configuration or shared library files to affect other containers or processes running on the same host.
  • Compromises confidentiality and integrity of all data on the host, and can crash or destabilize host services by overwriting critical system files.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46703 is active across connected registries and pipelines, flagging any image that includes boxlite below version 0.9.0 as Critical. Because no upstream patch exists at this time, HarborGuard re-evaluates the advisory on every ingest cycle. As compensating controls while awaiting a fix, customers can apply network-policy isolation to restrict which registries BoxLite hosts are permitted to pull images from, enforce image signing and allowlist policies to block unsigned or unrecognized OCI images, and use egress filtering to limit outbound traffic from sandbox hosts. The moment an upstream fix is published, a patched-image rebuild will become available; for customers who opt into auto-remediation, that rebuild will be followed by an automated regression run and a PR opened against affected workloads.

See how HarborGuard automates this
Affected packages
  • boxlite-ai / boxlite
    < 0.9.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References