CVE-2026-53676

An attacker who can log in as a tenant administrator (TENANT_ADMIN) can craft a rule-chain script that exploits the host-realm prototype chain exposed through the `args` argument. By accessing `args.constructor.constructor`, the script reaches the host `Function` constructor and executes arbitrary code (e.g., reading files, running shell commands, dumping environment variables) in the host process. The attack is carried out via the `/api/ruleChain/testScript` endpoint, which is protected by a `@PreAuthorize('TENANT_ADMIN')` guard but does not prevent a tenant admin from submitting the malicious payload. [ref_id=1]

The patch constructs the `args` array inside the sandbox context using `vm.runInContext('[]', sandbox)` and populates it with string primitives, ensuring the array's prototype chain belongs to the sandbox realm rather than the host realm. This prevents a script from traversing `args.constructor.constructor` to reach the host `Function` constructor. The non-sandbox path (`use_sandbox=false`) is left unchanged but is explicitly documented as dangerous-by-design, with a startup warning logged and a YAML comment added to the configuration file. [patch_id=6466795]