CVE-2026-44451: Lumiverse AI Chat TSX Sandbox Escape (CVSS 9.3)

Overview

A critical-severity sandbox escape vulnerability (CVSS 9.3) has been disclosed in Lumiverse, a full-featured AI chat application. The flaw, tracked as CVE-2026-44451, affects all versions prior to 0.9.7 and exists in the platform's component override system — a feature that allows users to supply custom TSX components to customize the chat interface.

The vulnerability allows an attacker to escape the JavaScript execution sandbox and execute arbitrary code by exploiting weaknesses in how Lumiverse validates and evaluates user-supplied TSX.

Vulnerability Details

Detail	Value
CVE	CVE-2026-44451
CVSS Score	9.3 (Critical)
Type	Sandbox Escape / Arbitrary Code Execution
Attack Vector	User-supplied TSX component override
Authentication	Low — accessible to any user with component override permission
Affected Product	Lumiverse AI Chat
Fixed Version	0.9.7

Technical Analysis

How the Component Override System Works

Lumiverse's component override system is designed to let users customize chat UI elements by supplying their own TSX (TypeScript JSX) component code. The platform processes this custom code through a two-phase pipeline:

Transpilation — user-supplied TSX is compiled to JavaScript using Sucrase, a fast JavaScript transpiler
Evaluation — the transpiled code is executed using JavaScript's Function constructor, a technique that creates a callable function from a string of code at runtime

To prevent malicious code from accessing dangerous browser APIs, Lumiverse shadows global objects by passing them as undefined within the dynamically constructed function scope:

// Simplified illustration of the vulnerable sandboxing strategy
// Dangerous globals (fetch, window, eval, document...) are passed as
// undefined-valued parameters, shadowing the real globals within scope.
// This approach is insufficient against prototype-chain traversal.
SandboxedFn = DynamicFunction('fetch', 'window', 'eval', ..., transpiledCode);
SandboxedFn(undefined, undefined, undefined, ...);

This approach — shadowing dangerous globals with undefined — is a common but insufficient sandboxing strategy.

The Bypass

The static source validator (validateComponentOverrideSource) checked the raw TSX source for obvious dangerous patterns. However, several bypass techniques exist against this model:

Prototype chain traversal: Access the Function constructor via ({}).constructor.constructor to obtain a reference to the real constructor, bypassing the shadow
Indirect global access: Retrieve the global object via (0, eval)('this') or through import.meta in module contexts
Transpiler artifacts: Sucrase's output may introduce references to globals that bypass shadow checks applied only to the untranspiled source

Because the shadow only covers the explicitly listed globals in the dynamic function's parameter list, any global reachable through prototype chains or transpiler-introduced intermediaries remains accessible.

Impact

Successful exploitation allows:

Arbitrary JavaScript execution in the browser context of the Lumiverse application
Access to all browser APIs — including fetch, XMLHttpRequest, localStorage, and sessionStorage
Exfiltration of session tokens, cookies, and stored credentials
DOM manipulation to inject phishing elements or keyloggers into the chat interface
Potential pivot to other browser-accessible resources depending on deployment context

In multi-tenant or shared Lumiverse deployments, this vulnerability could allow one user to attack other users sharing the same application instance.

Affected Versions

Version	Status
< 0.9.7	Vulnerable
0.9.7+	Fixed

Remediation

Immediate Actions

Upgrade to Lumiverse 0.9.7 or later — the fix addresses the sandbox escape by replacing the dynamic function evaluation approach with a more robust isolation mechanism
Disable component overrides in deployments where the feature is not actively needed until the upgrade can be applied
Review audit logs for unusual TSX component submissions, particularly those containing constructor, prototype, globalThis, or import.meta

Secure-by-Design Guidance

The dynamic function evaluation + global shadowing pattern is not a secure sandbox. Organizations building AI applications with user-supplied code execution should evaluate:

iframe-based sandboxing with sandbox attribute restrictions
Web Workers for isolated execution contexts
Server-side evaluation in a containerized environment
Purpose-built sandboxing libraries such as isolated-vm

Key Takeaways

CVSS 9.3 Critical — this is a high-priority patch for any Lumiverse deployment that enables component overrides
Sucrase transpilation alone does not add security — it transforms syntax, not execution context
Dynamic function evaluation + global shadowing is not a sandbox — prototype chains and transpiler artifacts create reliable bypasses
The pattern used here is common in AI application platforms that allow user-customizable UI components

Overview

The vulnerability allows an attacker to escape the JavaScript execution sandbox and execute arbitrary code by exploiting weaknesses in how Lumiverse validates and evaluates user-supplied TSX.

Vulnerability Details

Detail	Value
CVE	CVE-2026-44451
CVSS Score	9.3 (Critical)
Type	Sandbox Escape / Arbitrary Code Execution
Attack Vector	User-supplied TSX component override
Authentication	Low — accessible to any user with component override permission
Affected Product	Lumiverse AI Chat
Fixed Version	0.9.7

Technical Analysis

How the Component Override System Works

Transpilation — user-supplied TSX is compiled to JavaScript using Sucrase, a fast JavaScript transpiler
Evaluation — the transpiled code is executed using JavaScript's Function constructor, a technique that creates a callable function from a string of code at runtime

To prevent malicious code from accessing dangerous browser APIs, Lumiverse shadows global objects by passing them as undefined within the dynamically constructed function scope:

// Simplified illustration of the vulnerable sandboxing strategy
// Dangerous globals (fetch, window, eval, document...) are passed as
// undefined-valued parameters, shadowing the real globals within scope.
// This approach is insufficient against prototype-chain traversal.
SandboxedFn = DynamicFunction('fetch', 'window', 'eval', ..., transpiledCode);
SandboxedFn(undefined, undefined, undefined, ...);

This approach — shadowing dangerous globals with undefined — is a common but insufficient sandboxing strategy.

The Bypass

The static source validator (validateComponentOverrideSource) checked the raw TSX source for obvious dangerous patterns. However, several bypass techniques exist against this model:

Prototype chain traversal: Access the Function constructor via ({}).constructor.constructor to obtain a reference to the real constructor, bypassing the shadow
Indirect global access: Retrieve the global object via (0, eval)('this') or through import.meta in module contexts
Transpiler artifacts: Sucrase's output may introduce references to globals that bypass shadow checks applied only to the untranspiled source

Impact

Successful exploitation allows:

Arbitrary JavaScript execution in the browser context of the Lumiverse application
Access to all browser APIs — including fetch, XMLHttpRequest, localStorage, and sessionStorage
Exfiltration of session tokens, cookies, and stored credentials
DOM manipulation to inject phishing elements or keyloggers into the chat interface
Potential pivot to other browser-accessible resources depending on deployment context

In multi-tenant or shared Lumiverse deployments, this vulnerability could allow one user to attack other users sharing the same application instance.

Affected Versions

Version	Status
< 0.9.7	Vulnerable
0.9.7+	Fixed

Remediation

Immediate Actions

Upgrade to Lumiverse 0.9.7 or later — the fix addresses the sandbox escape by replacing the dynamic function evaluation approach with a more robust isolation mechanism
Disable component overrides in deployments where the feature is not actively needed until the upgrade can be applied
Review audit logs for unusual TSX component submissions, particularly those containing constructor, prototype, globalThis, or import.meta

Secure-by-Design Guidance

The dynamic function evaluation + global shadowing pattern is not a secure sandbox. Organizations building AI applications with user-supplied code execution should evaluate:

iframe-based sandboxing with sandbox attribute restrictions
Web Workers for isolated execution contexts
Server-side evaluation in a containerized environment
Purpose-built sandboxing libraries such as isolated-vm

Key Takeaways

CVSS 9.3 Critical — this is a high-priority patch for any Lumiverse deployment that enables component overrides
Sucrase transpilation alone does not add security — it transforms syntax, not execution context
Dynamic function evaluation + global shadowing is not a sandbox — prototype chains and transpiler artifacts create reliable bypasses
The pattern used here is common in AI application platforms that allow user-customizable UI components

CVE-2026-44451: Lumiverse AI Chat TSX Sandbox Escape (CVSS 9.3)

Affected Products

Overview

Vulnerability Details

Technical Analysis

How the Component Override System Works

The Bypass

Impact

Affected Versions

Remediation

Immediate Actions

Secure-by-Design Guidance

Key Takeaways

CVE-2026-44444: Lumiverse AI Plugin Install Scripts Enable RCE (CVSS 9.1)

CVE-2026-41258: OpenMRS Velocity Template Injection Enables

CVE-2026-40621: ELECOM Wireless LAN Access Point

CVE-2026-44451: Lumiverse AI Chat TSX Sandbox Escape (CVSS 9.3)

Affected Products

Overview

Vulnerability Details

Technical Analysis

How the Component Override System Works

The Bypass

Impact

Affected Versions

Remediation

Immediate Actions

Secure-by-Design Guidance

Key Takeaways

CVE-2026-44444: Lumiverse AI Plugin Install Scripts Enable RCE (CVSS 9.1)

CVE-2026-41258: OpenMRS Velocity Template Injection Enables

CVE-2026-40621: ELECOM Wireless LAN Access Point