CVE-2026-46695 CRITICAL

CVE-2026-46695: BoxLite: Permission Bypass in boxlite Allows Modification of Read-Only Files

Vendor Boxlite-Ai

Product boxlite

Weakness CWE-284

Published June 10, 2026

Last update June 11, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0.

Key dates

02Disclosure timeline

June 10, 2026 CVE published

June 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-46695

Related vulnerabilities

CVE-2026-46695: BoxLite: Permission Bypass in boxlite Allows Modification of Read-Only Files

01Description

02Disclosure timeline

03References

04Related CVE