VM2: NodeVM Nesting Exploit <3.11.1 Allows Arbitrary OS Commands
CVE-2026-44007 Published on May 13, 2026

vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. This vulnerability is fixed in 3.11.1.

NVD

Vulnerability Analysis

CVE-2026-44007 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-44007. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-44007 has been classified to as an Authorization vulnerability or weakness.

Insufficient Isolation of System-Dependent Functions

The product or code does not isolate system-dependent functionality into separate standalone modules.


Products Associated with CVE-2026-44007

stack.watch emails you whenever new vulnerabilities are published in Red Hat Ansible Portal or Red Hat Rhdh. Just hit a watch button to start following.

Red Hat Ansible Portal
 
Red Hat Rhdh
 

Affected Versions

patriksimek vm2: Red Hat Self-service automation portal 2: Red Hat Developer Hub:

Exploit Probability

EPSS
0.78%
Percentile
50.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.